[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
UNDERSTANDING CONSUMER ATTITUDES ABOUT PRIVACY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
OCTOBER 13, 2011
__________
Serial No. 112-96
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
U.S. GOVERNMENT PRINTING OFFICE
74-605 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas HENRY A. WAXMAN, California
Chairman Emeritus Ranking Member
CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York
MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas
Vice Chairman DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma LOIS CAPPS, California
TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana JIM MATHESON, Utah
ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington JOHN BARROW, Georgia
GREGG HARPER, Mississippi DORIS O. MATSUI, California
LEONARD LANCE, New Jersey DONNA M. CHRISTENSEN, Virgin
BILL CASSIDY, Louisiana Islands
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia
7_____
Subcommittee on Commerce, Manufacturing, and Trade
MARY BONO MACK, California
Chairman
MARSHA BLACKBURN, Tennessee G.K. BUTTERFIELD, North Carolina
Vice Chairman Ranking Member
CLIFF STEARNS, Florida CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire JIM MATHESON, Utah
GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas MIKE ROSS, Arkansas
DAVID B. McKINLEY, West Virginia HENRY A. WAXMAN, California (ex
MIKE POMPEO, Kansas officio)
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Mary Bono Mack, a Representative in Congress from the State
of California, opening statement............................... 1
Prepared statement........................................... 4
Hon. G.K. Butterfield, a Representative in Congress from the
State of North Carolina, opening statement..................... 6
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 7
Prepared statement........................................... 9
Hon. Joe Barton, a Representative in Congress from the State of
Texas, opening statement....................................... 10
Prepared statement........................................... 11
Hon. Pete Olson, a Representative in Congress from the State of
Texas, opening statement....................................... 13
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, prepared statement................................. 190
Hon. Henry A. Waxman, a Representative in Congress from the State
of California, prepared statement.............................. 191
Hon. John D. Dingell, a Representative in Congress from the State
of Michigan, prepared statement................................ 196
Witnesses
Barbara Lawler, Chief Privacy Officer, Intuit.................... 14
Prepared statement........................................... 16
Answers to submitted questions............................... 201
Mike Hintze, Associate General Counsel, Microsoft Corporation.... 30
Prepared statement........................................... 32
Answers to submitted questions............................... 203
Scott Meyer, CEO, Evidon......................................... 56
Prepared statement........................................... 58
Answers to submitted questions............................... 206
Linda Woolley, Executive Vice President, Washington Operations,
Direct Marketing Association, on behalf of Digital Advertising
Alliance....................................................... 75
Prepared statement........................................... 77
Answers to submitted questions............................... 209
Allessandro Acquisti, Associate Professor of Information
Technology and Public Policy, Heinz College, Carnegie Mellon
University..................................................... 97
Prepared statement........................................... 99
Answers to submitted questions............................... 214
Pam Dixon, Executive Director, World Privacy Forum............... 112
Prepared statement........................................... 114
Submitted Material
Majority memorandum, dated October 13, 2011, submitted by Mrs.
Bono Mack...................................................... 197
UNDERSTANDING CONSUMER ATTITUDES ABOUT PRIVACY
----------
THURSDAY, OCTOBER 13, 2011
House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 9:06 a.m., in
room 2123, Rayburn House Office Building, Hon. Mary Bono Mack
(chairman of the subcommittee) presiding.
Members present: Representatives Bono Mack, Blackburn,
Stearns, Bass, Harper, Lance, Cassidy, Guthrie, Olson, Pompeo,
Kinzinger, Barton, Butterfield, Gonzalez, Matheson, Dingell,
and Towns.
Staff present: Jim Barnette, General Counsel; Brian
McCullough, Senior Professional Staff Member, CMT; Jeff
Mortier, Professional Staff Member; Gib Mullan, Chief Counsel,
CMT; Andrew Powaleny, Press Assistant; Brett Scott, Staff
Assistant; Shannon Weinberg, Counsel, CMT; Tom Wilbur, Staff
Assistant; Alex Yergin, Legislative Clerk; Michelle Ash,
Democratic Chief Counsel; Felipe Mendoza, Democratic Counsel;
and Will Wallace, Democratic Policy Analyst.
Mrs. Bono Mack. The subcommittee will now come to order.
That makes it quiet down real quick.
This is the fourth in our ongoing series of hearings on
online privacy. When our work is finally finished, my goal is
to point to a better way to protect consumer privacy and to
promote e-commerce at the same time. In the end, this will
benefit both American consumers and American businesses and
preserve a strongly held belief all across our Nation and
around the world that the Internet should remain free.
The chair will now recognize herself for an opening
statement.
OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
When it comes to online privacy, at least for me, consumer
attitudes and expectations are the bits and the bytes that
matter the most. Do Americans really believe enough is being
done today to protect their online privacy? Are they taking
advantage of the many privacy tools currently available to
them? Do they even know about these tools? If not, why not? And
do these privacy features--for the most part--really work? Or
is it time for Congress to finally legislate in this area? This
is a hearing that I have been looking forward to for a very
long time because it is the first time we tried to quantify
what consumers expect and want. This is where the rubber hits
the road with respect to online privacy.
Today, there is no single Federal law expressly governing
all data collection in the United States. Instead, there is a
confusing hodgepodge of more than 300 State and Federal laws.
Likewise, there is no single regulator to enforce all these
privacy-related laws. Rather, an industry-specific approach has
emerged whereby Congress has restricted consumer data
collection and use by subject matter and provided the
enforcement authority to the relevant Federal agency.
As it stands today, the Federal Trade Commission arguably
has the broadest jurisdiction to enforce general privacy
violations under its Section 5 authority defining unfair or
deceptive acts or practices. Since 2001 the commission has
brought 34 cases against companies that failed to protect
consumer information, including when companies fail to adhere
to their own stated privacy policy.
In recent years, both policymakers and stakeholders have
expressed increasing concerns regarding the collection and
availability of consumers' personal information online.
Increased data collection and storage by Web sites, information
brokers, direct marketers, ISPs, and advertisers have been
driven in large part by the rapid decline of the associated
costs of data processing and storage, while at the same time
the value of consumer information has increased significantly.
As we know, data about consumers' online behavior is being
used today to target ads, increasing the likelihood of a sale
of a particular product. Is this bad? Not necessarily. But is
this process transparent enough and do consumers have enough
information and tools available to them to be able to opt out
of having their data collected and shared with unknown parties
if they so choose? In many ways, this is the very root of the
privacy issue.
In response to growing concerns over online data collection
and use--particularly regarding behavioral advertising--the
online advertising community developed a self-regulatory model
to provide consumers with notice and choice about
advertisements delivered to them through behavioral targeting.
The Digital Advertising Alliance developed and implemented
these so-called ``about ads'' to provide consumers more
information on why they are seeing a particular ad and to
provide them a mechanism to opt out of future ads directed at
them based on behavioral advertising.
Later, the FTC took things a step further, proposing a
number of principles to enhance consumer choices regarding
privacy, including the concept of a ``do not track'' mechanism.
Since the hearing in the last Congress on ``do not track''
legislation, the two most popular browser developers--
Microsoft's Internet Explorer and Mozilla's Firefox--have both
designed and incorporated a ``do not track'' feature into their
browsers.
These features are user-controlled, so consumers must
choose to turn them on to actually prevent tracking. Internet
Explorer blocks content from sites that are on tracking
protection lists and that could otherwise use the content to
collect information. Mozilla's Firefox broadcasts its signal to
each Web site a consumer actually visits, communicating the
consumer's desire not to have his or her information collected.
Clearly, the effectiveness of Mozilla's approach faces
significant hurdles because every Web site that receives a
signal from the consumer's browser must choose to honor their
request, and currently there is no requirement that Web sites
must do so.
So what do consumers think about all of this? And when it
comes to the Internet, how do we--as Congress and as
Americans--balance the need to remain innovative with the need
to protect privacy?
Clearly, the explosive growth of technology has made it
possible to collect information about consumers in increasingly
sophisticated ways. Sometimes the collection and use of this
information is extremely beneficial; other times, it is not.
Despite everything that I have heard in our previous
hearings, I still remain somewhat skeptical right now of both
industry and government. Frankly, I don't believe industry has
proven that it is doing enough to protect American consumers,
while government, unfortunately, tends to overreach whenever it
comes to new regulations.
That is why I am so anxious today to hit the ``refresh
key'' to learn the latest about consumer attitudes and
expectations.
And with that, I am happy to recognize the gentleman from
North Carolina, Mr. Butterfield, for his opening statement for
5 minutes.
[The prepared statement of Mrs. Bono Mack follows:]
[GRAPHIC] [TIFF OMITTED] T4605.001
[GRAPHIC] [TIFF OMITTED] T4605.002
OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NORTH CAROLINA
Mr. Butterfield. Let me thank you, Chairman Bono Mack, for
holding this very important hearing today.
This is no doubt a very important issue to all of us. You
spoke with me when we first started this subcommittee at the
beginning of the session, and you told me of your keen interest
in this issue, and I want to thank you for pursuing this
hearing today.
This forum provides an opportunity to look at expectations
and attitudes about privacy from a consumer's point of view,
and these witnesses that we have today, all six of them, will
no doubt share with us some very valuable perspectives.
The bottom line is that consumers want and expect privacy.
Whether they are online, hopping from one Web site to another,
or buying a few things at a chain grocery store, but sometimes,
the privacy consumers expect isn't respected. For example, the
information collection practices by online tracking firms for
purposes of behavioral advertising aren't generally visible to
consumers, and with those consumers that know it is happening
don't always know how to achieve the level of privacy they want
with the tools available to them.
I understand that online advertising is big business. We
all know that. Last year revenue from all types of online and
advertising totaled $26 billion. This revenue helps to support
free access to a lot of the online content consumers have come
to expect. A small but growing segment of this revenue is
coming from behavioral advertising, and I think most of us by
now understand how that works, but let me nonetheless try to
describe it in my own way.
Imagine that I am in the market for a new car, let's say a
Ford Explorer. Since I drive a 2000 Ford Explorer, let's say I
am in the market for another Ford Explorer. I visit some online
car comparison Web sites, and there are many. I visit the
manufacturer's Web site, and then I decide to put off buying a
car for another day or two. I go to the Web site of a daily
newspaper, and all of a sudden there are advertisements on some
of the pages for, you guessed it, a Ford Explorer.
This happens through the installation of cookies on my
computer, although some of the industry have resorted to more
persistent and less visible tracking tools. Those cookies allow
an advertiser to track my online activities across multiple Web
sites and ultimately serve me up a tailored advertisement for a
vehicle that I had previously expressed an interest.
I appreciate the amazing business opportunities made
possible by behavioral advertising. I understand that consumers
are probably more likely to purchase goods and services after
seeing an advertisement if it is relevant to their likes and
interests.
However, a leading academic study of consumer attitudes
toward behavioral advertising found they don't want it. That
study found that 66 percent of survey participants did not want
tailored advertising. The number that didn't want tailored
advertising jumped to 84 percent when participants were asked
if it would be OK to base that tailoring off of tracking a
consumer's activities across Web sites. The number jumped to 86
percent when participants were asked if it would be OK to base
tailored advertising on offline activities, like using a
discount card at the grocery store.
One thing is clear, consumers aren't clamoring for tailored
advertising, and they become more uncomfortable with it when
asked about the sorts of tracking activities that enable it.
The finding of another study on consumer attitudes sums it up
best: 64 percent of participants agreed that someone keeping
track of my activities online is invasive, while only 4 percent
disagree.
I will be clear. I support the online advertising industry,
I have told them that, and respect the central role that ads
play in supporting a free Internet ecosystem. However, I
strongly believe that consumers have the right to know upfront
when their online activities are being tracked, what activities
are being tracked, and what that information will be used for
as well as the option to opt out of having their information
collected entirely, not just from receiving targeted ads.
The online advertising industry has responded to privacy
concerns by creating a self-regulatory program for behavioral
advertising that provides consumers with Web sites that allow
them to opt out from receiving behavioral advertising from
companies, from participating companies. I appreciate this
effort.
I still feel strongly that a national baseline privacy law
is the best way to ensure consumers have basic common sense and
permanent rights over the collection and use of their
information.
Again, thank you, Madam Chair. I yield back.
Mrs. Bono Mack. I thank the gentleman.
And the chair recognizes the gentlelady from Tennessee, Ms.
Blackburn, for 5 minutes.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Mrs. Blackburn. Thank you, Madam Chairman.
I want to welcome all of our witnesses here today. We are
delighted to have you here to participate in this discussion,
and as we talk about tech policy and the virtual marketplace
today, we are talking about government regulating the use of
data and what that interface is going to be.
As we worked through this issue, as the chairwoman said,
this is our fourth hearing on this, I have decided that this
data should be treated as a natural resource and that the DNA
of this data is very powerful. It really is the lifeblood of a
thriving Internet economy.
So here are some questions for you. Should we allow our
free market to explore this natural resource and learn to
commercialize it, protect it, and respect it, or are we going
to restrict it altogether? Why should government be the
decision-maker? Government seems to know so little. It reacts
slowly, works poorly, and I was reading a quote from one of my
favorite economists, F. A. Hayek, Friedrich Hayek, who wrote
the book, ``Road to Serfdom,'' and as I had to remind a college
student recently, that is s-e-r-f-d-o-m, not s-u-r-f-d-o-m. Let
me give you this quote: It is the curious task of economics is
to demonstrate to men how little they really know about what
they imagine they can design, end quote. I think that is very
relevant to this discussion that we are having about privacy in
the virtual marketplace.
We don't know what consumers' true expectations are about
online privacy. Consumers are different. Their expectations are
not static, whether they are 2 or 20 or 82, and innovation
moves 500 times faster than what we see government moving. And
we don't need to pretend that government has all the answers.
Our thriving tech and ad industries are infinitely more
responsive and better equipped to meet consumer needs than a
Federal Government program that is one size fits all.
In my opinion, our foundation for policy should be
flexible, encourage beneficial use of data, protect against
real harms, empower people instead of government.
I look forward to your testimony.
And at this time, I yield to Mr. Barton of Texas.
[The prepared statement of Mrs. Blackburn follows:]
[GRAPHIC] [TIFF OMITTED] T4605.003
OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Barton. Thank you, Ms. Blackburn.
I am going to read the Third Amendment to the Constitution
of the United States. It says, no soldier shall in time of
peace be quartered in any house without the consent of the
owner nor in time of war but in a manner to be prescribed by
law. That is the Third Amendment to the Bill of Rights of the
Constitution. If the Founding Fathers had had the Internet,
instead of saying without the consent of the owner to put
soldiers in your home, they would have said without the consent
of the Internet user, they couldn't collect data.
I want to put my support to what the ranking member, Mr.
Butterfield, just said. I think it is time that the Congress of
the United States pass a strong, general, explicit privacy
protection law. We have approached the use of the Internet more
from a marketing standpoint, that apparently each of us that
uses the Internet individually exists to primarily be marketed
and not as individuals that have guaranteed rights under the
Constitution.
Now, the Constitution does not explicitly guarantee the
right to privacy, but they wouldn't have put the Third
Amendment about putting soldiers in your home without your
consent if they didn't at least implicitly understand that
every person in the United States at that time had the right to
privacy.
Every week, Madam Chairwoman, we hear some other additional
outrage about the abuse of the Internet, whether it is a super
cookie that somebody can put on your computer without your
knowledge and you can't get it off. Now, my staff yesterday
told me that one of our leading Internet companies, Amazon, is
going to create their own server in their own system, and they
are going to force everybody that uses Amazon to go through
their server, and they are going to collect all this
information on each person who does that without that person's
knowledge.
I mean, enough is enough, Madam Chairwoman.
We have over 240 million Americans who use the Internet
every day. Each of those 240 million Americans are entitled, in
my opinion, to the right to privacy.
With that, I want to yield the balance of the time to Mr.
Olson of Texas.
[The prepared statement of Mr. Barton follows:]
[GRAPHIC] [TIFF OMITTED] T4605.004
[GRAPHIC] [TIFF OMITTED] T4605.005
OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Olson. I thank my colleague, the chairman emeritus from
Texas.
I thank the chairwoman.
As we continue our hearings on online privacy issues, we
need to ask ourselves two fundamental questions: Number one,
when it comes to privacy protections in the online space, is
there an issue industry can't correct on their own through
self-regulatory initiatives? And, number two, if there is a
problem industry can't correct without negatively impacting
jobs, our struggling economy, and the growth and innovation we
are seeing in the online space, can the government correct
these problems?
Today's hearing is important because we will hear directly
from industry about what they are doing on their own to better
provide transparency and privacy for customers online. One key
advantage industry has over government is the ability to
quickly adapt to changes in consumer demands and changes in
technology.
So I thank the witnesses for being here and look forward to
their testimony.
Yield back.
Mrs. Bono Mack. I thank the gentleman, and now we turn our
attention to our panel.
STATEMENTS OF BARBARA LAWLER, CHIEF PRIVACY OFFICER, INTUIT;
MICHAEL HINTZE, ASSOCIATE GENERAL COUNSEL, MICROSOFT
CORPORATION; SCOTT MEYER, CEO, EVIDON; LINDA WOOLLEY, EXECUTIVE
VICE PRESIDENT, WASHINGTON OPERATIONS, DIRECT MARKETING
ASSOCIATION, ON BEHALF OF DIGITAL ADVERTISING ALLIANCE;
ALESSANDRO ACQUISTI, ASSOCIATE PROFESSOR OF INFORMATION
TECHNOLOGY AND PUBLIC POLICY, HEINZ COLLEGE, CARNEGIE MELLON
UNIVERSITY; AND PAM DIXON, EXECUTIVE DIRECTOR, WORLD PRIVACY
FORUM
Mrs. Bono Mack. We have one panel of witnesses joining us
today. Each of our witnesses has prepared an opening statement
that will be placed into the record. Each of you will have 5
minutes to summarize that statement in your remarks. A special
welcome to the Californians on the panel, recognizing it is
6:25 for your body clocks, we have a special appreciation for
your appearance here today.
But on our panel, first, we have Barbara Lawler, chief
privacy officer at Intuit. Then we have Michael Hintze,
associate general counsel at Microsoft. Then we have Scott
Meyer, chief executive officer at Evidon. Our fourth witness is
Linda Woolley, executive vice president of the Direct Marketing
Association. Our fifth witness is Alessandro Acquisti,
associate professor of information systems and public policy at
Carnegie Mellon University. And our final witness is Pam Dixon,
executive director at the World Privacy Forum.
Good morning and thank you all again for coming. You will
be recognized for 5 minutes. To keep track of the time, you
have the timers in front of you, and green, yellow, red, self-
explanatory, but please try to wrap it up when you get to
yellow so when it hits red, your 5 minutes is up.
Ms. Lawler, if you could pull your microphone forward and
turn it on, you are recognized for 5 minutes.
STATEMENT OF BARBARA LAWLER
Ms. Lawler. Good morning, Chairman Bono Mack, Ranking
Member Butterfield, and members of the committee, thank you for
this opportunity to comment on consumer expectations around
privacy. I am Barb Lawler, the Chief Privacy Officer at Intuit.
I ask that my full statement be put into the record due to the
time constraints.
Intuit is well positioned to comment on consumer
expectations about privacy. Over 50 million customers entrust
us with their most personal financial information. We have been
committed to innovating and implementing the safest and most
responsible ways to work with consumers' financial information
for nearly 30 years. Understanding our customers' expectations
about online privacy and earning their trust is a major
priority at Intuit.
Intuit recently undertook a comprehensive research program
that examined our customers' expectations about privacy. Our
customers told us they expect Intuit to be an ethical steward
of their information, applying it reasonably and with integrity
for their benefit, while keeping it safe and secure. Our
research strongly informed the development of our data
stewardship principles. The unifying concept is that it is the
customer's data, not ours.
Our principles provide our customers with tools to
understand how their data is being used and empower them with
choices to control the use of their data. These fundamentals
were based on a number of key insights we learned from our
customer research project.
First, we learned that data privacy matters to consumers.
While many people do not pore over privacy policy statements,
they do care deeply about privacy and how their data is used.
Customers told us the fine print is often confusing and they
prefer simple, easy-to-read explanations of how their data will
be applied and used and serviced to their needs.
Second, we found that customers want clear, relevant, and
context-based choices that educate and empower them to control
the use of their data. When a choice is presented in relevant
context and coupled with a simple explanation, most customers
felt empowered to make choices and then welcomed the use of
their data.
Finally, confidence increases when consumers clearly
understand how their data can be applied to benefit them.
In the absence of clear statement and principles, customers
can worry that their data will be sold to third parties to
benefit someone else or possibly harm them. When data-driven
benefits are clearly outlined to consumers in responsible ways,
their attitudes toward the use of their data significantly
changed.
Data-driven innovations can equip individuals and small
business owners with new tools and insights that once were only
available to much larger and more powerful companies. Our
research showed a tremendous appetite for such products and
services amongst both consumers and small business owners. For
example, Intuit developed capabilities for small business
owners to compare themselves along key metrics for similarly
situated businesses in the same geography. Imagine if your
local florist could compare his regular spending trends, soil,
marketing or delivery trucks, anonymously with those of other
florists in his region of the country. This kind of service
involves the use of the customer's own data in a way that
brings meaningful value to their lives and financial well-
being.
As we move toward a connected services cloud-based economy,
it is vital that we develop clear and practical privacy
frameworks that answer the concerns and expectations of
consumers, regardless of the technology or the device they
choose to use. Data stewardship represents our ongoing
commitment to act as an accountable organization to our
customers and to the public. We see data stewardship as a clear
and practical privacy policy framework for the 21st century. We
all must work toward the shared goal of protecting consumers
while maintaining data-driven innovation that improves
consumers' lives in trusted, real, and fundamental ways.
Thank you again for this opportunity. We look forward to
working together with you and the committee toward this
important goal.
[The prepared statement of Ms. Lawler follows:]
[GRAPHIC] [TIFF OMITTED] T4605.006
[GRAPHIC] [TIFF OMITTED] T4605.007
[GRAPHIC] [TIFF OMITTED] T4605.008
[GRAPHIC] [TIFF OMITTED] T4605.009
[GRAPHIC] [TIFF OMITTED] T4605.010
[GRAPHIC] [TIFF OMITTED] T4605.011
[GRAPHIC] [TIFF OMITTED] T4605.012
[GRAPHIC] [TIFF OMITTED] T4605.013
[GRAPHIC] [TIFF OMITTED] T4605.014
[GRAPHIC] [TIFF OMITTED] T4605.015
[GRAPHIC] [TIFF OMITTED] T4605.016
[GRAPHIC] [TIFF OMITTED] T4605.017
[GRAPHIC] [TIFF OMITTED] T4605.018
[GRAPHIC] [TIFF OMITTED] T4605.019
Mrs. Bono Mack. Thank you, Ms. Lawler.
Mr. Hintze, you are recognized for 5 minutes.
STATEMENT OF MICHAEL HINTZE
Mr. Hintze. Chairman Bono Mack, Ranking Member Butterfield,
and honorable members of the committee, my name is Mike Hintze,
and I am an associate general counsel at Microsoft. Thank you
for the opportunity to share Microsoft's perspective on the
important issue of consumer attitudes about privacy. We
appreciate the leadership the subcommittee has shown on this
topic, and we are committed to working with you and others to
protect consumer privacy while promoting innovation. The
diverse products and services through which Microsoft engages
with consumers gives us a unique perspective on the privacy
discussion.
We have a strong commitment to privacy because we recognize
that consumer trust is critical to the adoption of online
services. Our goal at Microsoft is to build trust with
consumers by providing them with information about what data is
being collected and how it is being used, offering choices
about the collection and use of that data and ensuring that
their data is kept secure.
In our experience, there is no ``silver bullet'' solution
to privacy. This is because privacy means different things to
different consumers, and there is a wide range of privacy
sensitivities among individuals. Consumers also have different
privacy expectations depending on the context in which their
data is collected and used. Finally, as technology evolves,
customer expectations about privacy often evolve with it. These
challenges require a multifaceted approach to addressing
consumer privacy. In our view, this approach should focus on
four key elements.
The first element is company best practices. At Microsoft,
we have a deep and longstanding commitment to privacy in how we
design our products and services and how we operate our
business. We believe in adopting practices that provide
consumers with information and choices to enable them to
exercise more control over their privacy.
Let me provide some examples of how consumers have
responded to that approach. Over the past 5 months, key privacy
Web sites offered by just one division of our company averaged
over 2 million sessions per month. In an average month, more
than 435,000 consumers access our advertisement choice Web
site. This site provides information about personalized online
advertisements and how consumers can opt out or use other
controls. Approximately 20 percent of those consumers perform
some action while visiting that site, in most cases opting out
of personalized ads. As these numbers make clear, when we
provide consumers with information and meaningful controls,
many will use them.
The second element is technology tools that empower users
to protect themselves as they interact with other sites across
the Internet. For example, we were the first major browser
manufacturer to respond to the FTC's recent call for a
persistent browser-based ``do not track'' mechanism. In
Internet Explorer 9, we offer this feature which we call
tracking protection. It allows consumers to decide which third-
party sites can receive their data and filters contents from
sites identified as potential privacy threats.
But no company can meet consumer privacy expectations on
its own. So the third element that can contribute to the
protection of consumer privacy involves baseline rules of the
road established by both industry self-regulation and
legislation. Industry self-regulation in particular plays an
important role in fostering privacy solutions and can offer
flexible approaches for protecting privacy in many different
contexts. We also have long-supported Federal baseline privacy
legislation as a means of setting rules that can protect
consumers without hampering innovation.
Nevertheless, self-regulatory efforts are generally better
than prescriptive legislation to keep pace with evolving
technologies. One recent example of this is the self-regulatory
program for online behavioral advertising, which has advanced
both transparency and consumer choice. Among other things, this
program includes a standard icon that is prominently displayed
in or next to online ads. By clicking on the icon, consumers
can access information about the delivery of the ad and choose
to opt out from receiving behavioral advertising.
Finally, the fourth element is consumer education. In order
for all of these elements to work, consumers need to understand
the protections and tools available and the practices of
companies with which they are interacting. That is why, in
addition to providing information ourselves, we have also
partnered with consumer advocates and government agencies to
develop educational materials on consumer privacy and data
security.
In conclusion, addressing consumer privacy expectations
requires the collaborative effort of individual companies,
industry groups, consumer and privacy advocates, government,
and consumers themselves. We must work together to meet these
challenges without hindering innovation.
Thank you, and I look forward to answering your questions.
[The prepared statement of Mr. Hintze follows:]
[GRAPHIC] [TIFF OMITTED] T4605.020
[GRAPHIC] [TIFF OMITTED] T4605.021
[GRAPHIC] [TIFF OMITTED] T4605.022
[GRAPHIC] [TIFF OMITTED] T4605.023
[GRAPHIC] [TIFF OMITTED] T4605.024
[GRAPHIC] [TIFF OMITTED] T4605.025
[GRAPHIC] [TIFF OMITTED] T4605.026
[GRAPHIC] [TIFF OMITTED] T4605.027
[GRAPHIC] [TIFF OMITTED] T4605.028
[GRAPHIC] [TIFF OMITTED] T4605.029
[GRAPHIC] [TIFF OMITTED] T4605.030
[GRAPHIC] [TIFF OMITTED] T4605.031
[GRAPHIC] [TIFF OMITTED] T4605.032
[GRAPHIC] [TIFF OMITTED] T4605.033
[GRAPHIC] [TIFF OMITTED] T4605.034
[GRAPHIC] [TIFF OMITTED] T4605.035
[GRAPHIC] [TIFF OMITTED] T4605.036
[GRAPHIC] [TIFF OMITTED] T4605.037
[GRAPHIC] [TIFF OMITTED] T4605.038
[GRAPHIC] [TIFF OMITTED] T4605.039
[GRAPHIC] [TIFF OMITTED] T4605.040
[GRAPHIC] [TIFF OMITTED] T4605.041
[GRAPHIC] [TIFF OMITTED] T4605.042
[GRAPHIC] [TIFF OMITTED] T4605.043
Mrs. Bono Mack. Thank you very much.
Mr. Meyer, you are recognized for 5 minutes.
STATEMENT OF SCOTT MEYER
Mr. Meyer. Thank you, Chairman Bono Mack, Ranking Member
Butterfield, and distinguished members of the subcommittee.
My name is Scott Meyer. I am the CEO and founder of Evidon.
I appreciate the opportunity to appear before you today to talk
about consumer expectations regarding online interest-based
advertising and the important role that my company, Evidon,
plays in meeting those expectations.
We founded Evidon specifically to promote transparency,
consumer control, and accountability across the online
advertising ecosystem. Our technology is at the heart of the
industry's self-regulatory program, which is designed to give
consumers greater control, transparency, and understanding of
interest-based or behavioral ads.
The core component of the program is the display of a
distinct advertising option icon on interest-based ads and on
Web sites where data is collected and used. Our platform, which
is called Evidon InForm, is a leading example of privacy by
design in the actual real world. It displays the advertising
option icon in ads and on Web pages. When consumers click on
the icon, they can easily find out more information about the
ad. This includes information about the companies who are
involved in delivering the ad to them as well as the all-
important ability to opt out.
I brought some slides with me today which are on the
screens and are also in my written testimony, so if I could
have the first slide, please, so you can see the platform in
action. Here you can see an ad with the advertising option icon
along with the text ad choices in the upper left-hand corner.
You might also see the same icon in the bottom of a Web page.
When consumers click on the icon, an overlay window appears
with more information and the links you see displayed here on
the next slide. In the 12 months since the launch of the
advertising option icon program, Evidon has delivered over 85
billion of these in-ad notices through our platform. We
currently provide notice in nearly 20 billion online ads each
month, and on an average day, ads with Evidon-powered notice
reach more than 80 million U.S. Internet users.
One click on the more information and opt-out options on
the slide takes you to the next page, which is the Evidon Web
page shown here. And on this page, consumers can see which
companies have been able, which companies have been involved in
the data collection and use, and they have the ability to find
out more as well as, importantly, to opt out.
Evidon InForm also provides reporting to the companies to
show them how consumers have interacted with this platform, and
those reports are endorsed as a standard method for providing
evidence of compliance with the industry's self-regulatory
program.
Though Evidon itself does not collect any consumer
information, our anonymous logs show that the advertising
option icon has been clicked 4.5 million times since the launch
of the program. That has resulted in 730,000 opt-out requests
being sent through the Evidon platform alone.
In 2010, we commissioned a study by Millward Brown to
better understand what consumers want and what they expect when
they click on the icon. We found that 76 percent of consumers
who clicked on the icon and interacted with the Evidon notice
experience that you see here wanted to see all of the companies
involved in targeting ads to them and find out more
information. We also found that this was good for business,
that 67 percent of consumers when they went through the Evidon
notice experience felt more positive and in greater control of
their advertising and felt more positive toward the brands that
were involved in these ads. Together, these metrics support the
proposition that consumers want more than a simple on or off
switch, and they want substantive notice and control regarding
the companies responsible for targeting the ads to them.
Finally, if I could go to the next slide, in addition to
implementing the advertising option icon, we have led the way
with the creation of the Open Data Partnership. Open Data, a
key feature is the preference manager you see here and in my
written testimony which enables consumers to see and edit the
information that companies have collected about them as well as
the all-important ability to opt out.
The metrics I have laid out today and more fully developed
in my testimony reflect an order of magnitude shift in the
availability of how information is used and collected and the
choices that consumers are able to make. This is important
because the information is no longer buried in privacy
policies. Now it is presented to the consumer in clear,
specific, and easily understood ways directly at the point of
engagement. And ultimately, the success of this program should
be judged by the degree to which these access tools are
produced in a credible fashion and the extent to which these
tools are offered to the consumer and not simply the rate at
which consumers opt out.
One last point I will make is that this hearing is all
about consumer expectations. The one thing I think everyone
here can agree on is that consumers have come to expect free
online content. The targeted advertising that we are talking
about today plays an essential role in supporting the vibrant,
free, and open Internet that consumers have come to expect and
to enjoy.
Thank you again for inviting me to testify, and I look
forward to answering your questions.
[The prepared statement of Mr. Meyer follows:]
[GRAPHIC] [TIFF OMITTED] T4605.044
[GRAPHIC] [TIFF OMITTED] T4605.045
[GRAPHIC] [TIFF OMITTED] T4605.046
[GRAPHIC] [TIFF OMITTED] T4605.047
[GRAPHIC] [TIFF OMITTED] T4605.048
[GRAPHIC] [TIFF OMITTED] T4605.049
[GRAPHIC] [TIFF OMITTED] T4605.050
[GRAPHIC] [TIFF OMITTED] T4605.051
[GRAPHIC] [TIFF OMITTED] T4605.052
[GRAPHIC] [TIFF OMITTED] T4605.053
[GRAPHIC] [TIFF OMITTED] T4605.054
[GRAPHIC] [TIFF OMITTED] T4605.055
[GRAPHIC] [TIFF OMITTED] T4605.056
[GRAPHIC] [TIFF OMITTED] T4605.057
[GRAPHIC] [TIFF OMITTED] T4605.058
[GRAPHIC] [TIFF OMITTED] T4605.059
[GRAPHIC] [TIFF OMITTED] T4605.060
Mrs. Bono Mack. Thank you, Mr. Meyer.
Ms. Woolley, you are recognized for 5 minutes, and please
make sure your microphone is on and close to you.
STATEMENT OF LINDA WOOLLEY
Ms. Woolley. Thank you, Madam Chairman.
Ranking Member Butterfield and members of the committee,
thank you for the opportunity to speak.
My name is Linda Woolley, and I am Executive Vice President
of Washington Operations for the Direct Marketing Association,
a global trade association of thousands of businesses and
nonprofit organizations that use and support multi-channel
direct marketing tools and techniques.
Today, however, I am pleased to testify on behalf of the
Digital Advertising Alliance, known as DAA, and to report to
the subcommittee on the substantial progress of our self-
regulatory program for online behavioral advertising. The
program which you heard about from previous witnesses builds on
a long tradition of successful self-regulation in marketing and
advertising and provides transparency and controls so that
consumers can exercise their individual choices regarding
online behavioral advertising.
It is appropriate that the subcommittee is devoting a
series of hearings to online issues because it is impossible to
overstate the economic importance of the Internet today. I
think one of your members, I think Mr. Butterfield actually,
mentioned earlier that the online behavioral advertising
industry in this year alone represents a $30 billion economy,
and that is growing.
Advertising helps to fuel the Internet economic engine.
According to a new report from the Direct Marketing
Association, based on the results of the first half of this
year, expenditures in 2011 on online marketing in the United
States are expected to total over $30 billion. These revenues
support e-commerce and subsidize a rich variety of content and
services that consumers and businesses rely upon and value.
Behavioral or interest-based advertising is an essential
form of online advertising. It delivers content to consumers
based on interests that are inferred from data about online
activities. Consumers are likely to find interest-based
advertisements much more relevant than the random messages that
they would otherwise receive, and advertisers and publishers
also derive great value from relevant advertising.
In general, the data used for interest-based advertising is
not personally identifiable, except when consumers choose to
share personally identifiable information. Nevertheless, the
advertising industry recognizes and respects that some
consumers prefer not to receive such advertising.
In 2009, as was already mentioned, the Federal Trade
Commission endorsed industry self-regulation for online
interest-based advertising. Following the road map that was set
out by the Commission, the online advertising industry, on its
own initiative, developed a self-regulatory principles for
online behavioral advertising that cover consumer education,
enhanced notice of data practices, innovative mechanisms,
choice mechanisms, data security, sensitive data protection,
consent for retroactive material changes, and enforcement.
Our self-regulatory principles are comprehensive, but yet
they are flexible enough to respond to the complex and ever-
evolving online advertising ecosystem. More importantly, they
represent consensus in the online advertising community and are
supported by all of the major industry stakeholders in the
Internet ecosystem, as my colleague from Microsoft previously
mentioned.
Since publishing the principles, the advertising industry
has put its money where its mouth is and developed a program
that is second to none. Hundreds of companies have invested now
millions of dollars to give consumers transparency about online
data collection practices and meaningful choices about how data
is collected and used.
I want to mention that the DAA program includes all 15
largest online advertising networks and that the brands that
participate in this program are household names. To mention a
few: Google, Microsoft, Yahoo!, GM, American Express, Bank of
America, Disney, Procter & Gamble, Target, Wal-Mart, AT&T,
Verizon, Comcast, Time Warner Cable, Honda, Hyundai, Toyota,
Dell, HP, the list goes on, but I think you get the sense of
how all of these companies understand that this is a critical
program, a critical and credible program that they, too, want
to be part of.
My written testimony describes our achievements in greater
detail, but I would like to highlight a few key elements for
the subcommittee. First, the advertising option icon shown in
this program is a key feature of the program, and as mentioned
earlier, this is what consumers see if they click on it, they
get in one or two clicks and are able to opt out.
The self-regulatory program: Second, the DAA program is
effective and easy to use for consumers. When the ad is
delivered is at the exact moment that consumers are likely to
want to take action and make a choice about their preferences,
and finally, the program is backed up by strong enforcement,
managed through both DMA and the Council of Better Business
Bureau. Thank you very much for the opportunity to testify.
[The prepared statement of Ms. Woolley follows:]
[GRAPHIC] [TIFF OMITTED] T4605.061
[GRAPHIC] [TIFF OMITTED] T4605.062
[GRAPHIC] [TIFF OMITTED] T4605.063
[GRAPHIC] [TIFF OMITTED] T4605.064
[GRAPHIC] [TIFF OMITTED] T4605.065
[GRAPHIC] [TIFF OMITTED] T4605.066
[GRAPHIC] [TIFF OMITTED] T4605.067
[GRAPHIC] [TIFF OMITTED] T4605.068
[GRAPHIC] [TIFF OMITTED] T4605.069
[GRAPHIC] [TIFF OMITTED] T4605.070
[GRAPHIC] [TIFF OMITTED] T4605.071
[GRAPHIC] [TIFF OMITTED] T4605.072
[GRAPHIC] [TIFF OMITTED] T4605.073
[GRAPHIC] [TIFF OMITTED] T4605.074
[GRAPHIC] [TIFF OMITTED] T4605.075
[GRAPHIC] [TIFF OMITTED] T4605.076
[GRAPHIC] [TIFF OMITTED] T4605.077
[GRAPHIC] [TIFF OMITTED] T4605.078
[GRAPHIC] [TIFF OMITTED] T4605.079
[GRAPHIC] [TIFF OMITTED] T4605.080
Mrs. Bono Mack. Thank you, Ms. Woolley.
Dr. Acquisti, you are recognized for 5 minutes.
STATEMENT OF ALESSANDRO ACQUISTI
Mr. Acquisti. Thank you, Chairman Bono Mack, Ranking Member
Butterfield, and members of the subcommittee, it is my honor to
be here today.
My name is Alessandro Acquisti. I am an associate professor
at the Heinz College, Carnegie Mellon University. I have been
studying the economics of privacy for about 10 years.
Surveys have found repeatedly evidence of widespread
privacy concerns among U.S. consumers. Most Americans believe
that privacy is a right, and this right is under threat. They
express concerns over the way businesses collect personal
information and favor government intervention over self-
regulation as a means to protect privacy.
Consumers are especially troubled by tracking technologies.
A vast majority of individuals express elevated concerns about
the usage of their location data and significant distrust
towards targeted advertising. However, other studies have found
discrepancies between privacy attitudes, what people say in
surveys, and actual behavior. Individuals like sharing
information online with friends and seem willing to trade
privacy for convenience and personalized services.
Now, consumers' willingness to share personal information
is not in contradiction with their desire for privacy. However,
behavioral research has shown that consumers face significant
challenges in navigating complex privacy trade-offs in the
marketplace in ways which reflect their self-interests.
One problem highlighted by research is that consumers often
do not know what happens to their data or are provided
confusing, sometimes even misleading information about their
data. Choice and notification regimes are unlikely to solve the
problem. By the time the consumer learns how to deal with a
privacy sensitive technology, often a new and more intrusive
technology has already appeared, catching the consumer
unprepared. Furthermore, if we assume that consumers will
actually read the privacy policies, studies have shown that the
opportunity costs for the U.S. economy or the time spent
actually reading those policies will be about two-thirds of a
trillion dollars a year.
These problems are magnified by the proliferation of
consumer tracking across multiple sites and progresses in data
mining, which make it possible to re-identify individuals and
make sensitive inferences from data which seemed anonymous. In
a recent experiment at Carnegie Mellon, we predicted
individuals' Social Security numbers simply starting from their
faces. Individuals and consumers are at a loss here because
they cannot predict how the innocuous information they reveal
today will be combined to produce more sensitive inferences
tomorrow.
A second problem relates to systematic biases, mistakes
people make when trading off privacy and disclosure. Consider
instant gratification bias. Human beings tend to value the
present more than the future and therefore underappreciate the
negative consequences of current actions. While the benefits of
information disclosure are often immediate, the costs of
disclosures happen in the future. Therefore consumers may
disclose data today that puts them at great risk tomorrow.
Consider also the paradox of control. At CMU, we did
experiments and found that increasing control of a person's
information can decrease concern about privacy but
paradoxically increases individuals' propensity to disclose
sensitive information to strangers, even when the objective
risks are actually increasing. So, in a way, more control, less
privacy.
In other experiments, we found that individuals can be
manipulated to disclose more or less information with subtle
changes to the interfaces of Internet services. There is
evidence that online companies have used similar strategies to
nudge users toward more disclosure. So self-regulatory
solutions are unlikely to solve this kind of a problem.
In a way, this research indicates that there is no complete
free choice on the Internet. What I mean is that even before
the first visitor has arrived to a Web site, the engineers of
the Web site have made design decisions that will impact the
future behavior of the visitor and in fact also how much the
person will reveal.
So privacy is becoming less about control over your
information and more about the control that others can have
over you if they have your information. In economic terms, the
notion that as consumers, we receive free online services is
only partially accurate. The other side is that in reality
information doesn't pay the bills at the end of the month. The
free services consumers get are paid by consumers by purchasing
goods at prices which they are nudged to accept based on
information firms have about them.
Now for the good news. Industry and academic laboratories
across the United States have also developed other technologies
which can protect privacy without sacrificing firms' ability to
innovate. I am referring to privacy enhancing technologies, in
particular through the type of technologies which work by
anonymizing individual data in ways which are both effective,
in the sense that reidentification becomes very hard, and
efficient, in the sense that transactions can still be
completed.
This means that we can still tap economics as a natural
resource without sacrificing consumer privacy. Therefore, a
critical question for Congress is how to create incentives so
that we can foster the progress and the deployment of those
technologies.
Thank you, and I look forward to answering any questions.
[The prepared statement of Mr. Acquisti follows:]
[GRAPHIC] [TIFF OMITTED] T4605.081
[GRAPHIC] [TIFF OMITTED] T4605.082
[GRAPHIC] [TIFF OMITTED] T4605.083
[GRAPHIC] [TIFF OMITTED] T4605.084
[GRAPHIC] [TIFF OMITTED] T4605.085
[GRAPHIC] [TIFF OMITTED] T4605.086
[GRAPHIC] [TIFF OMITTED] T4605.087
[GRAPHIC] [TIFF OMITTED] T4605.088
[GRAPHIC] [TIFF OMITTED] T4605.089
[GRAPHIC] [TIFF OMITTED] T4605.090
[GRAPHIC] [TIFF OMITTED] T4605.091
[GRAPHIC] [TIFF OMITTED] T4605.092
[GRAPHIC] [TIFF OMITTED] T4605.093
Mrs. Bono Mack. Thank you very much.
And Ms. Dixon, you are now recognized for 5 minutes.
STATEMENT OF PAM DIXON
Ms. Dixon. Thank you.
Thank you for the invitation to come here today. I
appreciate it very much. Just three quick things. First, I
think we have heard today that from industry and academics,
that consumers just don't know what the risks are out there,
and we all drive cars, but we are not all mechanics. Likewise,
consumers are on the Internet, but they are not all technical
experts. This is not a surprise to any of us.
It is so frustrating when we get consumer phone calls, and
there is a solution for them, but they don't know about it. And
we talk to them about it, but that is just one consumer that we
have helped. There are millions and millions of consumers in
this particular boat.
How do we help all these consumers who are unaware of these
technical risks that we face online? It is a very difficult
challenge, but the one thing that surveys are very clear on is
that consumers are completely almost unaware of the risks they
face. It would be very challenging for a consumer to simply
keep up with everything that is going on between a tracking
cookie and a this and a that.
But secondly, as Alessandro has talked about, consumers do
not understand the privacy trade-offs that they are looking at,
when they are looking at privacy policies and icons. This is a
deep problem that is not going to be solved by pretty much
anything. This is a human nature problem.
So a consumer goes to a Web site, they see a privacy policy
or they see a seal or an icon. What do they think? They think
that their information is not collected, that their information
is not sold, bartered, et cetera. This is simply not usually
the case, but this is what consumers believe. This is a
fundamental perception issue that is going to need to shift for
consumers to be able to take adequate protective actions for
themselves.
So, as a result of these structural imbalances on the Web,
we support legislation that will protect consumers. However,
the reality check is that we don't see any likelihood of that
happening in the near future.
So what is a consumer to do? What is to happen now? What
are we faced with here? I think that what we need to do is look
at self-regulation. If self-regulation is going to be the way
forward, we need to reform it. There are a lot of structural
issues with self-regulation today. Self-regulation today bears
many of the hallmarks that self-regulatory efforts for privacy
in the past have also shared.
I have included a checklist of 15 items that a credible
self-regulatory regime should have. Among these include greater
transparency; a defined and permanent role for consumers;
composition of a board, a governing board that includes a
majority of consumer involvement. All of these things would go
far to improve the current self-regulatory schemes in play
today. So we advocate for greatly improved and reformed self-
regulation. I think it is an important thing to look at.
The second thing is that we think that there needs to be a
broader scope of discussion. It is very frustrating for me when
I hear discussions about online advertising because when we get
calls from consumers, they are not talking about what ads they
have been shown, not usually; it is pretty rare. They are
talking about their health data that has been used against
them, that an employer has found. They are talking about when
they have gone to a Web site, they have signed up for a survey,
and then they found out later that that information was sold
because they just didn't read the privacy policy.
We have got to look at the broader array of privacy issues.
Some of these issues do include advertising because
advertisings are part of the collection mechanism online. That
is the role we need to look at. So when we are talking about
opt-outs, it is great that there is so much more activity with
opt-out and that the opt-out is better. We support that, and I
think it is terrific. It is. It really is. It is much, much
better than it was even 2 years ago.
But what are consumers getting the right to opt out of? Are
they getting the right to opt out of tracking or being shown an
ad? We need to deliver opt-outs that confer fundamental choices
to consumers, like opting out of tracking. So this is what we
think is really important to focus on.
And then just a quick word. Many of the self-regulatory
regimes today focus on very narrow aspects of online privacy.
So, for example, if a consumer with a health condition was to
go to a Web site to research AIDS or cancer or Alzheimer's for
an aging parent, that consumer's information can be tracked and
then used in ways that may be counter to their expectations.
This is exactly the kind of thing that we need to work with.
Does it harm a person to be shown an ad about Alzheimer's? That
is debatable. In some cases, I think young teen girls being
shown weight loss ads; that can be harmful. But other, you
know, a red car or a blue car; I am not so worried about that.
I am worried about the collection of the data, the tracking,
and the reuse. So that is my statement, and thank you for your
time and attention.
[The prepared statement of Ms. Dixon follows:]
[GRAPHIC] [TIFF OMITTED] T4605.094
[GRAPHIC] [TIFF OMITTED] T4605.095
[GRAPHIC] [TIFF OMITTED] T4605.096
[GRAPHIC] [TIFF OMITTED] T4605.097
[GRAPHIC] [TIFF OMITTED] T4605.098
[GRAPHIC] [TIFF OMITTED] T4605.099
[GRAPHIC] [TIFF OMITTED] T4605.100
[GRAPHIC] [TIFF OMITTED] T4605.101
[GRAPHIC] [TIFF OMITTED] T4605.102
[GRAPHIC] [TIFF OMITTED] T4605.103
[GRAPHIC] [TIFF OMITTED] T4605.104
[GRAPHIC] [TIFF OMITTED] T4605.105
[GRAPHIC] [TIFF OMITTED] T4605.106
[GRAPHIC] [TIFF OMITTED] T4605.107
[GRAPHIC] [TIFF OMITTED] T4605.108
[GRAPHIC] [TIFF OMITTED] T4605.109
[GRAPHIC] [TIFF OMITTED] T4605.110
[GRAPHIC] [TIFF OMITTED] T4605.111
[GRAPHIC] [TIFF OMITTED] T4605.112
[GRAPHIC] [TIFF OMITTED] T4605.113
[GRAPHIC] [TIFF OMITTED] T4605.114
[GRAPHIC] [TIFF OMITTED] T4605.115
[GRAPHIC] [TIFF OMITTED] T4605.116
[GRAPHIC] [TIFF OMITTED] T4605.117
[GRAPHIC] [TIFF OMITTED] T4605.118
[GRAPHIC] [TIFF OMITTED] T4605.119
[GRAPHIC] [TIFF OMITTED] T4605.120
[GRAPHIC] [TIFF OMITTED] T4605.121
[GRAPHIC] [TIFF OMITTED] T4605.122
[GRAPHIC] [TIFF OMITTED] T4605.123
[GRAPHIC] [TIFF OMITTED] T4605.124
[GRAPHIC] [TIFF OMITTED] T4605.125
[GRAPHIC] [TIFF OMITTED] T4605.126
[GRAPHIC] [TIFF OMITTED] T4605.127
[GRAPHIC] [TIFF OMITTED] T4605.128
[GRAPHIC] [TIFF OMITTED] T4605.129
[GRAPHIC] [TIFF OMITTED] T4605.130
[GRAPHIC] [TIFF OMITTED] T4605.131
[GRAPHIC] [TIFF OMITTED] T4605.132
[GRAPHIC] [TIFF OMITTED] T4605.133
[GRAPHIC] [TIFF OMITTED] T4605.134
[GRAPHIC] [TIFF OMITTED] T4605.135
[GRAPHIC] [TIFF OMITTED] T4605.136
[GRAPHIC] [TIFF OMITTED] T4605.137
[GRAPHIC] [TIFF OMITTED] T4605.138
Mrs. Bono Mack. Thank you, Ms. Dixon.
And now I will recognize myself for 5 minutes for
questioning. I would like to start with Mr. Meyer.
In your testimony, you state that since October 2010, your
icon has been featured in over 85 billion ads, that consumers
have clicked the icon 4.5 million times, and that consumers
have submitted 730,000 opt-out requests. That is not a real
high success rate I would think.
On your slide, I noticed the icon, and I toured Intuit a
little while ago, and they had some pretty fantastic technology
that tracked the eyeballs as they followed around the screen.
What kind of testing did you do of your icon and clicking on
that icon, is that evident enough for the consumers, or is this
not quite there yet as being as obvious to consumers as it
could be?
Mr. Meyer. Sure. So I think that we do a lot of testing,
and the challenge with the size of the icon in the ad is that
we are working with a small amount of real estate, and we have
to balance the notification about online tracking with the
ability for the ad to actually perform, and we have to enable
marketers to continue to meet their needs. The icon was created
through a cross-industry and cross-functional group that
included academics and industry, and it was tested reasonably
well.
And very importantly, I would end with the icon is not an
opt-out mechanism. The icon is an education mechanism. One of
the important features is the ability to opt out, and in terms
of the performance rates in terms of the clicks relative to the
performance of overall online advertising, it is very
consistent; general online advertising ads click rates
generally are under 1 percent anyhow.
Mrs. Bono Mack. Can you--and let me clarify a little bit
about what I am saying about the success rate of that, whether
that is driven by your design or whether it is driven by
consumer expectations is, I think, the point of the whole
hearing, but on all of these different cookies, can you briefly
explain the difference between tracking, session, persistent,
flash cookie, super cookie, and if there is absolutely no
technological answer on the horizon that could wipe all of
those things out?
Mr. Meyer. So the technological answers exist today for
almost all the different types of cookies.
Mrs. Bono Mack. Even a super cookie?
Mr. Meyer. Super cookies are the one piece that we at
Evidon think should not be used for any form of online
advertising. That is not what they are designed for. We don't
think there is any legitimate purpose in online advertising for
super cookies.
All the other forms of cookies that you allude to, that you
mention, are easily accessible. The most basic are HTML cookies
that are used for what are called session and permanent
cookies, and those can be erased through the opt-out mechanism
that we provide. We also own and operate a service called
Ghostery, which is one of the most popular privacy protection
tools for consumers. More than 4 million people have downloaded
it. That completely blocks advertising. It essentially creates
the on-off switch that is envisioned by ``do not track.''
Mrs. Bono Mack. So Ghostery is a lot stronger than if I
just go into my own browser and I hit delete cookies?
Mr. Meyer. That is true.
Mrs. Bono Mack. If I can go to Ms. Lawler, thank you for
your testimony, and for me, something that has struck me over
all of these years is the migration of what the content
industry has been faced with, that it is impossible to compete
against free. And I know that Intuit has tried, they have now
Mint.com, so you have both the Quicken and the Mint. Can you
explain, are consumers understanding the difference? Are they
enjoying the free program better? Are they migrating to free
because they are getting some trade-offs? Can you explain
briefly your experiences with the two?
Ms. Lawler. Yes. So let me start and say there is--Quicken
is actually our flagship product. That is where Intuit started
nearly 30 years ago, and so that is downloadable software or
CD-based software that you run on your desktop, so you pay for
that.
I think what you are asking is where the business model
goes and where consumers are going is to an online-based
service. In the case of Mint.com, Mint is free, and so you are
not paying for that. You can actually use some of the tools on
Mint without even signing up for it. When you go to the Mint
page, it is very simple, easy, clear to understand what the
value is, what you can do in terms of managing your budget,
tracking expenses.
How that gets paid for is through the option for you to get
offers.
Mrs. Bono Mack. But my question specifically is, are you
finding that consumers are going toward the free site rather
than the--either the downloading, you buy the CD-ROM at----
Ms. Lawler. They are moving over time. I don't have the
specific numbers with me. I would be happy to go find that
information for you and bring it back to the committee at a
later date. What we are finding is that there is a gradual move
to online. Some of that is technology based, so those who are
more comfortable with mobile technologies. It is also somewhat
generational, so as we see young people more comfortable with
using free online services or any online service, there is
definitely a trend toward online, but it is very slow and
gradual, so small percentages over the years.
Mrs. Bono Mack. All right, thank you.
My time has expired.
Mr. Towns, you are recognized for 5 minutes.
Mr. Towns. Thank you very much, Madam Chair.
Let me begin with you, Ms. Dixon. I understand that there
was a study in California of Internet users, and of course,
could you please talk about that just for a moment in terms of
what happened?
Ms. Dixon. Yes, I believe you are referring to the Chris
Hoofnagle and Jennifer King study that----
Mr. Towns. In 2008?
Ms. Dixon. Yes.
Mr. Towns. Yes, right.
Ms. Dixon. It was a groundbreaking study. What they did was
they went and surveyed online users and asked them what they
perceived when they saw privacy policies online. And their
findings were remarkable because the misperceptions were just
profound. So, for example, a majority of consumers, when they
saw a privacy policy, believed that that meant that the site
would not collect information about them, even collect. Users
also believed that they would have the right to sue if the site
did things with their data that they did not want, and these
were just among a few of the many misperceptions that consumers
had about privacy policies when they saw them, and consumers,
very few consumers understood that when, for example, they
opted out--there were questions about, you know, various
cookies and what not. Consumers just did not understand that
when they opted out with an opt-out cookie, that it didn't mean
that they were not going to be tracked; it just meant that they
were not going to be given display ads based on tracking. So
there was a profound, deep, serious misunderstanding and
misperception of what privacy policies actually mean when they
are on a site.
Mr. Towns. Thank you very much.
Dr. Acquisti, do you think privacy policies serve any
useful purpose for the consumers?
Mr. Acquisti. They do. I see them as necessary, not
sufficient, conditions in the sense that we do need privacy
policies because we need to inform and educate the consumers.
They are not sufficient, however, because of the type of
challenges I was describing in my testimony.
Mrs. Bono Mack. Excuse me one second, if the gentleman will
suspend. I am asked to notify you, while there are protestors
in the hallway, we don't expect it to get out of hand, but if
it does, please exit that door.
Mr. Towns. You don't have to worry about it, I am here. I
am here, don't worry about it.
Mrs. Bono Mack. There you go. I feel so comfortable now.
Thank you, please continue.
Mr. Towns. Yes, you may continue.
Mr. Acquisti. So the challenges I was mentioning, just to
summarize, are, one, the problem of--economists call it bounded
rationality. We don't have unlimited time to think about all
the possible consequences. Even if we read a policy, we may not
think through what it really implies. Some policies are written
in ways which are not easily understood. One study a few years
ago reported that half of privacy policies on the Internet are
not understood by about 60 percent of Internet users. Plus
there is also this additional challenge that if we take these
policies seriously, and we really believe that users, after
reading privacy policies, do not know what happens to their
data, the opportunity cost is enormous.
Mr. Towns. Thank you very much.
Mr. Hintze, I followed your company in terms of I know you
have a privacy officer. Basically what is the role of that
privacy officer?
Mr. Hintze. Well, we have a number of people at Microsoft
focused on privacy. We have got our chief privacy officer, who
is responsible for the overall governance of privacy programs
within Microsoft, and that includes training for our employees,
whether they are developers or marketers or human resources
folks. It includes the development of our standards and
guidelines that we provide around marketing, around product
development, et cetera. It includes building in privacy
checkpoints and privacy training and privacy standards into our
business processes. So our chief privacy officer oversees all
of that.
He also oversees, not necessarily direct reporting
relationships, but kind of a dotted-line relationship to all
the people in Microsoft who are focused on privacy, and we have
over 40 full-time people focused on privacy and another 400 who
have it as a defined part of their job, and those people are
embedded in every business and operations unit of the company.
Mr. Towns. Short of strongly regulating business, which
would probably do more harm than good, what can we do to
encourage other companies to consider privacy issues very
carefully.
Mr. Hintze. As I mentioned in my testimony, I think that
there are roles for multiple entities in protecting privacy
from government, individual companies, to academics and privacy
advocates as we have represented on the panel here today. I
think individual companies like ourselves can lead by example
by adopting strong privacy practices. We have made those
internal standards that I talked about for developing products
and services and building privacy protections into those; we
have made those publicly available so that others can see them
and take advantage of the work that we have done over the years
in developing those.
Privacy advocates clearly have a role in helping to educate
consumers and bring to the attention issues that come up and
nudging industry in appropriate ways to do the right thing. And
government has a role through enforcement when people are
breaking existing laws through using your own bully pulpit to
educate your constituents and playing the oversight role that
this committee has done so well for so many years.
Mr. Towns. Thank you so much. We salute you and your
company.
Mrs. Bono Mack. The Chair now recognizes Mr. Blackburn for
5 minutes.
Mrs. Blackburn. Mr. Meyer, I want to come to you.
I know that Evidon is partnering with Akamai? Am I saying
that correctly?
There was a Wall Street Journal article on it saying that
you would handle, what is it, trillions of interactions, a
trillion interactions a day. So let's talk about the consumer.
Now, with your platform, tell me what this means for the
consumer. How does it empower them? How does it allow them to
continue to protect or have the ability to protect what I term
the virtual you, their presence online?
So just in about 15, 20 seconds, can you give me that
synopsis?
Mr. Meyer. I will do my best.
So Akamai powers more than a trillion Internet transactions
every day. The Evidon technology, which you saw in my slides
and in my testimony, will now be built directly into that
platform, which will take the process of Web site operators of
all forms, and it will take the process of complying with the
program and giving consumers that view into their virtual you.
It will take what is now a reasonably complex legal and
technical process, and it will simplify to literally a few
clicks and a short one.
Mrs. Blackburn. So you are saying your ability is
simplicity and transparency and access. Is that what I am
hearing you say?
Mr. Meyer. That is the goal of us and Akamai getting
together for this.
Mrs. Blackburn. That is what I wanted to know. I was
unclear. The B2B is fine, but I want to know what you are going
to do for the consumer. How are you going be able to protect
their privacy?
Ms. Woolley, I want to ask you pretty much the same thing.
Do you think that industry can do a better job than government
in addressing these privacy concerns that you all have rolled
out with the Ad Choice campaign?
Ms. Woolley. Yes, I absolutely think that industry can do a
better job than government. The main reason is that we are
nimble, and we can move quickly. We have rolled out this
program in a year. And we are now rolling out further
iterations of the program, which include migration of that icon
overseas and migration of that icon to mobile devices. To do
that in less than a year is something that government could not
do.
Mrs. Blackburn. In your testimony, you mentioned protecting
data in terms of the cost to jobs, cost to the economy. And
would you just elaborate on that just a tiny bit?
Ms. Woolley. Sure. There have been several studies that
show that if the United States were to adopt a privacy regime
along the lines of what Europe has adopted that the cost----
Mrs. Blackburn. ``Do not track.''
Ms. Woolley. ``Do not track.'' And do not use cookies. The
cost to our economy would be about $33 billion a year.
Mrs. Blackburn. OK. Thank you.
I have a series of yes-and-no questions that I wanted to go
through. So if you all will listen, and I will have you raise
your hand for yes and your hand for no.
OK. Do you believe that a government mandated ``do not
track'' as the FTC has endorsed has gone too far and would be
too much to address the privacy problem? Yes, if you believe
``do not track'' goes too far, raise your hands. OK. So I have
got four on that.
And no. One no. And the rest abstain. So you are going to
be a no, too. I like decisiveness here.
Second question: Do you believe that government regulations
on commercial use of de-identified metadata or anonymous data
sets pose significant challenges to the First Amendment? So do
you believe that government regulations on commercial uses of
de-identified metadata or anonymous data sets pose significant
challenges to the First Amendment. Yes? OK. We have got two
yeses.
No? We have got two noes. And the rest are thinking.
Congress and the Federal Government in general have a low
approval rating. We admit that. Yes or no, do you think
consumers--here is the question, yes or no, this is what I want
to hear from you all: Do you think consumers trust government
to know best how to protect their privacy through rules,
mandates, legislation, or no? Do they trust the government to
do it, or do they trust you?
Yes, if they trust government. Just two of you would trust
the government.
No, they don't trust the government. They would trust
industry, one. Like these hands kind of waving out there.
Do you believe that new privacy regulations could have an
adverse impact on industry competition that would hinder
smaller firms, some of the innovative firms?
Yes.
Do you believe new privacy regulations could have an
adverse impact on industry competition that would hinder
smaller firms or no?
Yes if you believe it is going to have a----
We have got two on the yes side.
No, not going to impact.
One no.
I am going to let you off the hook because my time has
expired. Thank you.
Mrs. Bono Mack. The chair thanks the gentlelady and now
recognizes Mr. Lance for 5 minutes.
Mr. Lance. Good morning to all. This is very interesting,
and I have learned a great deal.
To Ms. Lawler, do you know what percentage of your
customers view and manipulate the privacy options that you
offer them?
Ms. Lawler. We have a couple of different ways that we
approach privacy choices. If you think about the traditional
choices that most companies have offered for the last several
years, which would be in the marketing space--so around phone
calls, e-mails, snail mail and so on--it is a fairly small
percentage. I don't have all of the numbers with me. I can tell
you that in our email marketing, specifically that our opt-out
rates are at about the industry average, but I would be happy
to research that more with our technicians.
Mr. Lance. What is the industry average?
Ms. Lawler. It is about 0.05 to 0.1. It depends upon the
type of ad and the context.
Mr. Lance. Thank you. Thank you very much.
To Professor Acquisti, your testimony includes an
interesting point that I am not sure has been raised before.
You call it the paradox of control. In other words, the more
privacy choices a consumer has, the more likely that consumer
is to have a false sense of security. Does this argue against
more granular controls, or if you would elaborate on your views
on that?
Mr. Acquisti. It was a paradoxical result. To explain it
with an analogy, other studies have shown that when you ask
people to wear seatbelts, they--some of them may start driving
faster. It is probably overconfidence. You feel more protected,
you end up taking more risks.
So we believe that this is what is happening in the results
we found is you make consumers feel more in control, the ones
deciding with the agency of deciding whether or not to disburse
information, which in a normative sense is a good thing, the
unexpected consequence can be that this overconfidence can lead
to the consumer taking more risk.
What I mean by more risk, and I have to be very careful, is
compared to a condition where there was no such feeling of
control, the subjects in the control ended up revealing more
sensitive information to more strangers.
Mr. Lance. So how would you overcome that challenge?
Mr. Acquisti. Well, it is central what kind of control do
we give, and whether control solves all of the problems. So the
results of the study suggest that merely giving granular
control may not solve consumer decision-making problems if the
control leads to bad decisions later on.
It is not a statement about we should never give control,
of course. It is about what matter, what type of control we
give and whether by giving control, do we feel that we have
solved privacy problems.
The results of the experiment, such as the answer to the
last question, is no.
Mr. Lance. Thank you very much.
To Mr. Hintze from Microsoft, you state that consumer
attitudes to privacy can evolve over time--I am sure that is
true--noting how consumers were originally hesitant to share
photos and videos online, but now regularly do so. Have you
seen any evidence where consumers are evolving in the opposite
direction to restrict the collection and sharing of their
information online with commercial operators?
Mr. Hintze. I am not sure I can point to any particular
statistics that would show that, but I certainly think that we
see more of an awareness of privacy than we did a few years
ago.
I agree with the comments that Ms. Dixon made that people
don't always fully understand all of what is going on, and it
is always a challenge to get the right information in front of
consumers, but you do see a heightened awareness, and that is
in large part due to the work of privacy advocates and many of
the journalists. And we have all seen the Wall Street Journal
series of articles and other publications that have been
focused on privacy.
Whether that translates into people making different
choices, that is hard to quantify, and I am not quite sure how
we would do that. But we certainly see more people looking at
our privacy Web pages now than we have in the past, and it is
certainly something that we are cognizant of and want to make
sure we are responsive to those concerns.
Mr. Lance. Thank you very much. My thanks to the panel.
I yield back the remainder of my time.
Mrs. Bono Mack. The chair now recognizes Mr. Gonzalez for 5
minutes.
Mr. Gonzalez. Thank you very much. I appreciate it.
I apologize for not being here for the testimony. I had the
opportunity to review written statements that were submitted.
Again, I wish I could have been here for the testimony because
it is incredibly important to have you here today and to share
your viewpoints and your own experiences.
My first observation, of course, is information gathering,
dissemination, protection of same and so on, and how important
that is to different industries.
So I guess I want to acknowledge that in this informational
age and how we market, how we promote products and services in
our system is incredibly important, and things have been
revolutionized. And the fact that you can now target audiences,
which I think is a tremendous advantage--it makes a more
effective way for those individuals in this country that have
different business enterprises to reach their customers. And
you know what happens when we reach customers? And that means
we in fact do create wealth for many, and we create jobs in
this country.
So I want to acknowledge the importance of information
gathering, what it means, and that many of the services that
are provided today, as we say free, really constitute a trade.
You will receive some sort of service through the Internet one
way or another in return for allowing the person that is
providing you this service or benefit the opportunity to
basically establish some sort of consumer DNA. And that is the
world that we live in.
And I think, as I came in, one of the things that Mr.
Hintze was pointing out is really whether the consumer is aware
of the information that they are providing and its use.
And we have struggled with this in the past, even years ago
when I was on financial services, as to what an affiliate would
share.
But what it comes down to--Mr. Hintze, I was reading your
testimony, and it is very interesting because you have
different points. But one of them of course is technological
tools. And that is that you, with Microsoft, could provide the
consumer and the user of the Internet with the ability to
basically not allow any kind of tracking to establish this
consumer identity or DNA. Is that correct?
Mr. Hintze. That is right. In the testimony, I briefly
mentioned the features we built into Internet Explorer 9 in
response to the call for ``do not tracking'' mechanisms that
are browser-based.
And if I could expand on that slightly, what Internet
Explorer 9 does with the tracking protection feature is that it
allows consumers to turn on this feature and import any
tracking protection lists that they want, which would be a list
of third party sites that may be tracking individuals across
the Internet. And when you turn this on, it blocks those
connections to those third parties.
So, for example, if you went to a major news site and there
were 10 third parties providing content on that site, which is
not an uncommon scenario--a couple of them may be advertising
networks. One may be a stock ticker; one may be an embedded
video, all coming from different sites. If one or more of those
sites were listed on a tracking protection list that a user had
installed through this feature, that call just wouldn't be
made, and that would cut off any ability for that third party
to collect any information because it is blocking the content
coming down, and it is blocking any other connection going back
up to that third party. So the nice thing about that is it is
technology neutral. It doesn't matter if they are tracking
through a cookie or through logging IP addresses, or even one
of these super cookie mechanisms, the connection just isn't
made.
It is kind of a sledgehammer approach. It blocks the
content, too, but it is very effective.
In contrast to some of the other ``do not track''
mechanisms that have been mentioned during the opening
statement of Ms. Bono Mack, she mentioned that the Mozilla
approach sends a signal to the receiving Web site that says
``do not track.'' The problem is there has been no definition
or common understanding as to what a Web site is supposed to do
in response to that signal. And we are working with the World
Wide Web consortium and with Mozilla and with privacy advocates
to try to provide some definition around that, so that there
are additional choices for consumers that we support.
But in the interim, the approach that we have taken is
effective and doesn't rely on the receiving third party to make
any choices or decisions.
Mr. Gonzalez. Technology has created, we want to say it the
dilemma or the challenge, so technology would be the answer.
And I only have a few seconds. But let me get this straight.
What you are able to provide the Internet user is going to
be where they select the third party sites. This is not going
to be a generic or universal application where I, Charley
Gonzalez, I could just have this feature, and I don't have to
identify a particular third party; it would just be all
encompassing. It doesn't matter what contact or who I contact
or who I connect with, I wouldn't have the ability to have that
feature. It is all contingent on identifying the third party
site.
Mr. Hintze. You can download a list from an entity you
trust; a privacy advocacy organization could publish a tracking
protection list. Any organization could publish one. You could
create one yourself, but as you mentioned, you would have to
know. But you can rely on an organization to do that. And there
are some out there that are very comprehensive. They have many,
many third parties on there, that if you import that, it would
block those third parties. So you don't have to do that sort of
leg work yourself. You could rely on a trusted entity that you
trust.
Mr. Gonzalez. You are on the right track.
Again--Madam Chair, if I could have a few extra seconds----
Mrs. Bono Mack. There will be a second round if we can.
Mr. Gonzalez. I think we are going to have a second round,
so if you can wait my turn again.
Mrs. Bono Mack. The chair now recognizes Mr. Guthrie for 5
minutes.
Mr. Guthrie. Thank you, Madam Chair.
Thank you for coming. Thank you for being here today.
Just a couple of questions as we move forward.
Advertising has always been about behavior. All of us are
behavior advertisers. I want to send pieces of mail to people
who vote. So we always get the voter rolls out, and we go
through. I know it is a public record, but it is private
behavior that is made public for us to move forward and see.
But what we have to do is to try to balance now that things
are in hypermode with the technology. If you make a phone call,
somebody knows where you are, they can find out where you are
at all times. If you use your discount card, that is why they
give you a discount; they want you to swipe it so they can
track your behavior shopping so they know how things are going.
But the question is we have got to try to balance.
I know that Bing, Yahoo, Google, any search engine wants to
outdo the other one. They want to be faster, better because
they want me to go to it, because the more people that go to
it, the more valuable their advertising space is, just like if
I want to watch a Kentucky basketball game for free, they have
got to take a break every 8 minutes to show a commercial, so I
can watch it for free. And that has happened on the Internet,
but the difference is they can individualize it, I guess.
So I guess my point is, and I guess Dr. Acquisti, since you
studied this--and you said you didn't think it would affect the
economic behavior of this; we talked about the $33 billion of
job loss. Ms. Blackburn asked a question. You said you didn't
think it would affect it.
If the search engines aren't getting the revenue from the
advertising to let me to use it for free and they are competing
against each other to make it better, so it is far better than
it was a year ago, what is going to drive that innovation if
the advertising dollars--if we follow the European model, what
is going to drive the innovation or continue to be free to me,
or will we have to start paying for it like when we did debit
cards? We took a vote here to change the debit cards. Now the
people who voted for it are complaining about the fact that
banks are charging for it. So, I mean, that is the question
what I want to ask you. How is it not going to affect--how is
it going to work economically if we do the European style
system?
Mr. Acquisti. Definitely. So to clarify the point I was
making in the testimony was not that there will be no effects,
but rather I was pointing out that the so-called free goods we
get online are free only if you don't consider the fact that we
end up paying for them as consumers through a different channel
as we purchase the goods, which are offered online.
Mr. Guthrie. Like watching a sports game on television for
free. You have got to sit through the commercial to watch it.
Mr. Acquisti. That was the point I was trying to make.
Mr. Guthrie. Or you can do Pay-Per-View and watch it
without commercials. But a lot of us don't want to pay for a
search engine. We just want it. And so who is going to pay for
it if we don't do it? Is the model that you have to pay
individually, like you have to sign up for a search engine,
like $10 a month or something as opposed to getting it for
free? How is it going to work if we don't have advertising?
Mr. Acquisti. Actually, if I may, the alternative I don't
believe is between no advertising and advertising. First of
all, this is in parentheses, free content existed even before
the age of behavior advertising. In fact, we don't know exactly
how much of the free content now available online is due to
behavior advertising versus quote-unquote more traditional.
Mr. Guthrie. I only have a minute and a half. So maybe we
can catch you in the second round.
I wanted to ask Ms. Dixon. I had an uncle or great uncle
who had early-onset Alzheimer's. He died in his 50s. I am 47
now. So if I go online and maybe I don't know this and I Google
early-onset Alzheimer's, what do I need to fear that I don't
know, because if I Google that right now, what could happen--
because you were saying that--I mean what would happen if I
went in and search-engined that, what could happen to me that I
don't know about?
Ms. Dixon. In a search engine, I don't think you have so
much trouble because most of the ads are contextual, and it is
really not that big of a deal. Maybe you will find a rogue
actor advertiser, who is kind of a low-hanging fruit and out of
the ballpark and not playing by the rules.
But in general, where you really need to be concerned is
when you go to--a couple of different things. There are three
scenarios. One, you go to a scammy site that is just built
based on fear, and someone slapped up a Web site, and there are
all sets of third parties on it, and they are gathering up any
information you are filling into a form, and they are selling
it on to a direct marketing list. That happens more often than
I even want to describe. It is a terrible thing when it happens
to anyone. That is what you need to fear.
The second thing would be if you go to let's say a very
legitimate Web site. It is a legitimate business. There are
some very large Web sites that you could go to that focus on
health care and type in your query. What can happen is that you
simply begin to see advertisements that are focused on early
Alzheimer's. That is really not that big of an outcome in my
book. That doesn't bother me that much.
What bothers me more is that there may be a number of third
party entities on that page. It could be advertisers; it could
be other kinds of third parties. It could be Facebook. It could
be all sorts of different third parties now in this new kind of
digital technology.
Mr. Guthrie. What can they do to me?
Ms. Dixon. Well, that is the thing. What they can do is
they can take that information that you have given and merge it
with other information, and that becomes a part of a profile
about you or the computer you are using. If you have registered
for the site, it becomes part of your profile.
Mr. Guthrie. And somebody would use that to do what that
would be negative?
Ms. Dixon. They can sell it. They can sell it outright. It
happens every day.
Mr. Guthrie. So somebody can say, ``He must have
Alzheimer's'' because you Google that?
Ms. Dixon. Or he is interested in Alzheimer's information.
Mr. Guthrie. And that is bad. OK.
Ms. Dixon. Or has Alzheimer's, correct.
Mrs. Bono Mack. The gentleman's time has expired.
The chair recognizes Mr. Butterfield for 5 minutes.
Mr. Butterfield. I think we are all well aware that a lot
of free content available on the Internet is made possible by
advertising, all types of advertising, not just behaviorally
targeted advertising. I think consumers understand that they
get free content thanks to the ads that surround that content.
But what they often don't understand is that the spaces
where those ads are placed might sometimes be watching them.
As one privacy expert who has looked at consumer attitudes
and behavior regarding privacy has put it, consumers accept the
idea that ads support free Internet content but do not expect
data to be part of that exchange. Many in the Internet tracking
industry argue that steps to empower consumers to decide for
themselves whether they want to allow tracking of their online
activity will kill free Internet content. I, for one, do not
buy this argument. I don't buy it because reported advertising
revenue numbers don't support it.
The last figure that we have been able to track showed that
revenue from behaviorally targeted ads was $925 million in
2009. That is almost a billion dollars. This figure was
reported in a large 2010 marketing industry blog post. This is
the only easily accessible piece of information that we have
been able to find that specifically breaks out revenue from
these ads. In 2009, overall revenue from every type of Internet
advertising was $22 billion, almost $23 billion.
Now, the first question is open to anyone who wishes to
respond. Can any of you provide more recent figures that
clearly break out the amount spent on behaviorally targeted ads
last year, not on display advertising generally or all online
advertising, but specifically on behaviorally targeted ads? Do
any of you have any data that you feel you can provide.
As I used to say when I was a judge, let the record show
that no one responded.
Ms. Woolley. Let me just respond that according to the
FTC's definition of what online behavioral advertising is, one
of our partner trade associations in the DAA, the Internet
Advertising Bureau, found that over 80 percent of the ads that
are delivered are OBA or online behavioral advertising. And
actually, I think, sir, the revenue number is significantly
higher than the blog post that you cited. DMA has done several
studies more recent than 2009 with global insight, and I think
the number is actually substantially higher.
Mr. Meyer. If I can add to that, I can follow up and get
you the specific estimates. I think it is in the several
billion dollars. And the other important thing to think about,
there are two other important points.
The first one is the definition of what is behavioral, and
that is why a legislative approach could be so dangerous,
because it could be anywhere from a reasonably small percentage
to a number as high as 70 to 80 percent. That is the first
piece.
And the second one is that this is the fastest growing part
of the online advertising industry. So if you break out the
different pieces, the data-driven behavioral and network
advertising is growing at the fastest rate inside of an overall
very fast-growing industry, along with video advertising.
Ms. Woolley. I guess one other point I would like to make
here, too, is that there was a conversation about targeting
individuals. I represent the Direct Marketing Association.
Targeting individuals is not a new phenomenon. It is something
that--the Direct Marketing Association is close to 100 years
old. That is something that has gone on for close to 100 years.
And direct marketing methods and techniques are part of the
curriculum of almost every university that has a direct
marketing program. So these are actual techniques and
methodologies that are taught in university.
So the thing that the Internet has done is make the process
faster and more nimble. But the techniques and the methods are
not new.
Mr. Butterfield. All right. That is helpful.
Thank you. I yield back.
Mrs. Bono Mack. I thank the gentleman.
The chair recognizes Mr. Kinzinger for 5 minutes.
Mr. Kinzinger. Thank you, Madam Chair.
Thank you all for coming out and for participating.
I will be the first to say that I think government needs to
put an end to needless regulations that do little to protect
the consumer or protect jobs.
But I am not convinced personally that ``do not track''
legislation is the right approach. I do have some serious
concerns that without privacy protection, consumers can lose
confidence in the online free market.
Each of you represents responsible companies that are
working to inform consumers in their privacy choices online.
But in the end, you don't represent the bad actors that could
potentially come and undermine your efforts.
So my first question is to all of you, and we can do the
hand raise thing. You all basically answered this, but I want
to see for myself: Do you think the committee should pass
privacy legislation to ensure the bad actors don't undermine
your efforts?
Who is a yes on that?
And who is a no?
So two noes.
I am also deeply concerned by what a Stanford study that
appeared in the National Journal yesterday said. The study
shows that Web sites are unknowingly leaking email addresses,
user names, and other personal information to ad networks. If
consumers had the choice and were aware of this transfer of
personal data, I don't believe the mass majority of consumers
would support Web sites selling this personal information to
outside parties. Should consumers be required to opt-in to
allow Web sites to share this personal information?
And let me also expand on that. I am not talking about a
30-page privacy statement that nobody reads. I don't think I
have ever read a 30-page privacy statement in my life.
Something that should clearly be presented before it is being
shared.
So should opt-in be a requirement? I guess we can start
right to left----
Ms. Dixon. It is really complicated.
Mr. Kinzinger. Well, let's try to keep it very short if we
can.
Ms. Dixon. It is a challenging question to answer in a
black-and-white manner. If there is a first party relationship,
that is one thing, but if we are using first fair definitions
of first party, first party fine. Third party, that is a whole
different thing. It really needs to opt-in for third party.
Mr. Kinzinger. Doctor?
Mr. Acquisti. I actually agree exactly with the statement.
Mr. Kinzinger. Anybody else have anything?
Ms. Woolley. I have an opinion, and it is a complicated
question.
The wonderful thing about the icon is that--which is over
there; I don't think you were in the room when I mentioned
that--is that it gives the consumers a choice about opting out
of those third parties who are on a site and not allowing
collection and use of the data. And it is easy. It is
transparent. It is ubiquitous at this point. You can't be on
the Internet without seeing the icon.
Mr. Kinzinger. You are more of an opt-out versus an opt-in.
Ms. Woolley. Well, there are lots of reasons that--the
Stanford--and I don't even want to call it a study. It was the
musings of a graduate student. It was not peer-reviewed. There
was no methodology. That is all that it was. There are great
reputable studies out there, but that was not one of them.
As my colleague from Microsoft mentioned earlier, there are
lots and lots of reasons why third parties are on Web sites.
Some of them are there to serve ads. Some of them are there to
collect information, but others are there to deliver content,
like sport scores and stock scores. So if you are absolutely
blocking third parties or you are collecting opt-ins for
absolutely everything for third parties, the consumer has no--I
mean, we go to CNN.com. We know what we want. And if I have to
permit every single one of them, I don't know what I don't
know.
Mr. Kinzinger. Any of the other three of you?
Mr. Meyer. I would like to go back to something you said
about ``do not track'' and the need for legislation. The reason
I said no is because it already exists in the form of the
Federal Trade Commission Act. Just this morning, the Federal
Trade Commission settled with a company for deceptive trade
practice. And the situation you described tends to be firmly in
line with those deceptive trade practices, and that is the
right role of government----
Mr. Kinzinger. Thank you. I am going to have to cut you
guys off because I have one more question.
I have an update from a major telecom provider which says
they are going to start sharing user information with local
companies based on their physical address on an opt-out. They
are also going to start recording and sharing URLs of Web sites
visited with actual, physical locations of that users wireless
device. It does say there will be no information that is
personally identifiable, but after seeing the study, which you
call into question but I have some interest in, I am not sure
that it is possible. Should sharing a user's geolocation data
with ad networks require a clear concise opt-in from the
consumer? If we could go--do you three have anything, first?
Mr. Hintze. I would be happy to address that.
We operate a phone operating system as well as many of our
other things in addition to our ad business, and our approach
has been that we believe that the collection of precise
geolocation information should require an affirmative consent
on behalf of the user.
Mr. Kinzinger. Does anyone disagree with that?
Ms. Woolley. The one thing I do want to say is if
information as you are describing it right here is aggregated,
that geolocation that is aggregated and not specific to an
individual could be used for all sorts of business decisions,
not----
Mr. Kinzinger. We are talking about marrying that with a
specific individual, though, in this case.
But thank you all for your generosity.
I yield back.
Mrs. Bono Mack. The chair recognizes Mr. Dingell for 5
minutes.
Mr. Dingell. Madam Chairman, thank you. I commend you for
this hearing.
These questions are yes-or-no questions.
To all witnesses, starting at your left--rather at your
right and my left, is it your understanding that interest-based
advertising supports much of the free content of the Internet,
yes or no? Beginning with Ms. Lawler.
Ms. Lawler. Yes.
Mr. Hintze. Yes.
Mr. Meyer. Yes.
Ms. Woolley. Yes.
Ms. Dixon. Yes.
Mr. Dingell. No disagreement.
Further, is it your understanding that the consumers expect
much of the content they consume online to be free, yes or no?
Ms. Lawler. Yes.
Mr. Hintze. Yes.
Mr. Meyer. Yes.
Ms. Woolley. Yes.
Mr. Acquisti. No.
Mr. Dingell. So no disagreement on that.
Do you believe that all consumers have the same view of
interest-based advertising, yes or no?
Ms. Lawler. No.
Mr. Hintze. No.
Mr. Meyer. No.
Ms. Woolley. No.
Mr. Acquisti. No.
Mr. Dingell. So we have agreement there.
To all witnesses, is it fair to say that imposing ridged
privacy requirements on interest-based advertising would have a
drastic effect on the way consumers currently experience the
Internet, yes or no?
Ms. Lawler. Can you ask the question again, please?
Mr. Dingell. Is it fair to say that then imposing rigid
privacy requirements on interest-based advertising would have a
drastic effect on the way consumers currently experience the
Internet, yes or no?
Ms. Lawler. I am going to say probably.
Mr. Hintze. I know you asked for a yes or no, but I think
it depends on what you mean by rigid. We think there can be
some baseline privacy requirements that are perfectly
consistent with the business models and innovation that we are
talking about.
Mr. Dingell. I will not object to any of you panel members
giving additional response for the purposes of the record
because that is fair to you.
Mr. Meyer.
Mr. Meyer. I would agree with Mr. Hintze that it depends on
the level of the rigidness, but the potential for it having a
negative impact is unnecessarily high in my opinion.
Mr. Dingell. Ma'am?
Ms. Woolley. Well, I have to give you the lawyer answer,
too, which is, it depends. Because I think our program imposes
very rigid requirements, and I think the way we have done it
does not adversely affect the Internet.
Mr. Dingell. Our next two panel members, please?
Mr. Acquisti. My answer is not necessarily.
Ms. Dixon. My answer is not necessarily. However, I am not
sure that is the only thing we should be focusing on.
Mr. Dingell. So I guess that is a maybe.
To all witnesses, do you believe that the current industry
efforts to protect consumer data privacy are sufficient, yes or
no.
Ms. Lawler. Yes, but we can do more.
Mr. Hintze. Generally, yes.
Mr. Dingell. If you please, Mr. Meyer?
Mr. Meyer. We are off to a very good start, but we need the
support of, in particular, of this committee and the Federal
Trade Commission to accelerate the acceptance.
Ms. Woolley. Could you repeat the question?
Mr. Dingell. Do you believe that current industry efforts
to protect consumer privacy are sufficient?
Ms. Woolley. I believe that they are sufficient, but I also
know that our program is evolving, so we have the ability to
evolve and get stricter as times change.
Mr. Acquisti. Unfortunately not, but I believe there are
industries, privacy technologies which could definitely help.
Ms. Dixon. At the current time no, however I believe that
the efforts could be improved through self-regulatory reform,
such as involving consumers, having independent bodies
overseeing the efforts and other things that would----
Mr. Dingell. I have a minute and 3 seconds left. Do you
believe that such efforts can be improved, or do you believe
that Congress should pass data privacy legislation?
Ms. Lawler. We believe that there is a significant
opportunity for businesses to come together and lead more and
do more in a self-regulatory approach. If Congress were to act,
it would need to be a principle-based approach that is flexible
and nimble and is not overly prescriptive.
Mr. Hintze. I think current efforts can be improved, and
they are being improved, and I think that there is also a role
for baseline privacy legislation.
Mr. Meyer. I don't think it is necessary, but if there were
any type of legislation, it would need to provide safe harbor
for existing problems.
Ms. Woolley. I do not think that legislation is necessary,
and I think our table includes many wonderful American
companies, including GM, and I would invite everybody here to
be part of that program because our table is open.
Mr. Dingell. Sir?
Mr. Acquisti. I believe it can be improved and the
legislation can foster the deployment of technologies based on
public/privacy interaction focused on privacy and data sharing.
Ms. Dixon. Legislation will help and improvement of the
current regimes will help as well.
Mr. Dingell. Now, again, to all witnesses. I am intrigued
by the concept of ``do not track'' list. Is it advisable for
the Federal Government to mandate a ``do not track'' solution
that prevents people from being tracked by the multiple devices
that they use to access the Internet, yes or no? Starting with
you Ms. Lawler.
Ms. Lawler. We don't believe that it makes sense for the
government to mandate a ``do not track'' approach. We think it
needs to evolve in terms of tools and technology.
Mr. Hintze. We agree with the comments of Ms. Lawler. The
FTC's done a good job of encouraging industry to move forward,
but the industry has responded in an active way.
Mr. Meyer. Legislative mandates for technology we don't
think are the right approach, especially because it would
extinguish a very vibrant competitive entrepreneurial market
that provides these tools today that continue to evolve and
compete with each other.
Ms. Woolley. People need education. They need to know what
is going on. They need to be make their own choices.
Mr. Acquisti. It may not be the ideal solution, but it is
better than no solution
Ms. Dixon. We do support ``do not track'' legislation.
Mr. Dingell. I note I am out of time, Madam Chair.
Mrs. Bono Mack. The chair recognizes Mr. Olson for 5
minutes.
Mr. Olson. I thank the chairwoman.
And I want to welcome the witnesses and thank you for
giving us your time and expertise. And just for the record, my
neighbors' kids were not out in the lobby early this morning.
They are still back home in Texas, as far as I can tell.
And my first set of questions are going to be for you, Ms.
Woolley, and I want to follow up on the line of questions from
Ms. Blackburn from Tennessee about the economics of privacy.
And I am familiar with the Digital Advertising Alliance's
effort to develop the advertising icon so proudly displayed
over here, which provides consumers with notice and choice
about ads being delivered to them through behavioral targeting.
Many of the big companies have adopted the icon, but as you
know, small business drives job creation in our economy. So can
you elaborate more on how you have made the icon available to
our small businesses for free?
Ms. Woolley. Thank you for raising that. It is actually a
great story. We have made the icon available for free. If you
have less than $2 million of revenue that is derived from
online behavioral advertising and you are a small business, you
can get the icon for free. We also have a program with one of
the ad networks that deploys the icon on small business Web
sites.
And the thing that that does is it enables those small
businesses to get revenue from the ad networks because their
ads are--they are now targeted ads. So it enables small
businesses not only to get revenue from the businesses that
they are in but from the advertising world as well. So it is
actually a great program.
Mr. Olson. That is my feeling as well.
Would you say that the icon provides a competitive
advantage to companies that adopt it? To put it another way,
are companies competing for business based on privacy features?
Ms. Woolley. Actually, that is very interesting. When we
launched the icon, we did not anticipate it being a trust seal
of sorts. We thought that it was really just a consumer notice
and choice mechanism, but it has actually wound up being a
trust seal. And companies are competing based on the fact that
this is a symbol that consumers can see; they know, they know
that there are principles and enforcement behind it, and they
wind up trusting that site much more than they would have
otherwise.
Mr. Olson. So it actually is becoming competitive and
driving----
Ms. Woolley. Absolutely.
Mr. Olson. Finally, in your testimony, you mentioned one of
the major benefits of industry self-regulation is its ability
to respond quickly to changes in technology and business
practices. And some have raised concern that data collected for
advertising purposes could be hypothetically used as a basis
for health insurance or credit eligibility decisions, but we
don't have any actual examples or cases of this happening. But
DAA is still going to address these concerns and help to expand
your guidelines to clarify these kinds of practices that would
be prohibited. Can you elaborate more on that initiative?
Ms. Woolley. Yes, sir. You actually have stolen a little
bit of our thunder, because in a couple of weeks, we are going
to be making the announcements that all of the companies that
comply with the DAA program will be prohibited from making
eligibility decisions, any kinds of eligibility decisions based
on data that is advertising and marketing data.
So I know that the chairman of the Federal Trade Commission
is fond of saying, ``If you buy a deep fryer online, then you
will be denied health insurance.'' And we want to make it
abundantly clear that that kind of decision is not acceptable.
It is not part of the program. If you do that and you are part
of the program, you will be thrown out of the program and
referred to the FTC.
Mr. Olson. I didn't mean to steel your thunder. That is not
what I intended to do.
This is a final question for all witnesses. Because of my
time, I will probably have to make it yes or no questions.
It is my understanding that the FTC has received a very
wide range of comments concerning consumer attitudes and
behavior when it comes to privacy. My interpretation of that
wide range in comments: There is no clear consensus. Some
consumers feel more strongly than others about online
protections.
And so my question for all of you, starting to the left and
work to the right there, is there any hard data that you are
aware of that demonstrates the level of discomfort or the
percentage of consumers who are willing to forego the benefits
of free content online in order to avoid being tracked, yes or
no? Starting at the end with you, Ms. Lawler.
Ms. Lawler. I don't have any specific information from our
consumer or customer studies that would indicate that
particular type of action.
Mr. Hintze. It is hard to interpret a lot of the studies
out there because, as Dr. Acquisti pointed out, there is a
discrepancy between what people say and what they do. So you
can find a lot of studies that say people are very concerned
about privacy, and I believe there is something behind that.
But in terms of the tradeoffs, that is harder to quantify.
Mr. Meyer. We haven't seen that research. It is the same
juxtaposition between what consumers say and what they do. But
it is something we are actually looking at Evidon right now.
Ms. Woolley. People vote with their feet or with their
pocketbooks. And I think it is accurate to say that people are
concerned about privacy, because they are. And I think it is
also accurate to say that people are not afraid to use
technology, and they are not afraid to use the Internet. Sales
on the Internet have gone up exponentially in the last 3 years,
and new devices come out. People love them. They buy them. They
down load apps. They are very willing to adopt all of these new
things as they come out. They love them.
And we are very mindful of the fact that as an industry, we
are the ones providing all of these great and wonderful and
engaging things to people, but we have to take into
consideration their desire for privacy. And that is the main
reason that we have created this entire program.
Mr. Olson. You have met my 14-year-old daughter.
Mrs. Bono Mack. The gentleman's time has expired. And there
will be a an opportunity for a second round, but there are
still some other members needing to ask questions.
The chair recognizes Mr. Stearns for his 5 minutes.
Mr. Stearns. Thank you, Madam Chair, and let me compliment
you. This is a great hearing, and I am glad to have all of
these witnesses here.
Ms. Woolley, let me say that I think that your logo and
what you are doing is terrific, and I think it goes a long way
toward this self-regulatory behavior and program. And we have
just got to educate the consumers what it means when they see
your logo. And hitting that logo, when I look at your slides,
it starts to move into a little complication. And had you
thought about perhaps even simplifying it even further, or do
you think you are at the point where it is pretty well
understood by consumers?
Ms. Woolley. I don't think it is at the point where it is
understood by consumers. We are actually later in the fall
going to be launching an education campaign just to get at that
point. We really hope that over time consumers will look at
this symbol and know exactly what it means, kind of the way
consumers look at the recycling symbol. Fifteen years ago,
nobody really knew what the recycling symbol was and how they
do it.
Mr. Stearns. This Good Housekeeping Seal, which everybody
recognizes, is universally accepted.
Ms. Woolley. Exactly.
To answer your question about whether the program is where
it needs to be, we launched this program a year ago, and we are
constantly looking for suggestions about evolving the program,
making it more consumer-friendly and making it do really what
all of you want it to do. So I welcome that input.
Mr. Stearns. When I look through your slides, it is almost
as a consumer, I just want one big button, can I opt out, and
that is it, and it is done.
Ms. Woolley. There are two ways that you can get to our
opt-out. You can get to it from the icon that is on ads. The
other way that you can get to it directly is if you go to
www.aboutads.info, and if you go to that site, in the middle of
that site is a huge check mark, and it says, for consumers, if
you check on it, you can opt-out right there.
Mr. Stearns. That opt-out, when you do that, does that
apply to all of your companies, or does i apply to----
Ms. Woolley. The first thing that happens is you will see
your computer churning away, and it will tell you the ad
networks that are operating on your browser on that computer.
And you can opt-out of all of them if you want to. Immediately
behind it is a screen that tells you all of the ad networks
that exist, and you can opt-out of all of those if you want.
Mr. Stearns. I think it is a credit to what you are doing.
When you see the European Union's privacy policy and then you
see a lot of Latin America and a lot of Asian American
countries have stopped--India is starting to include a privacy
policy adopted after the European Union, we are almost going to
be sitting here with a self-regulatory type of operation
compared with everybody else.
Do you feel there is any Federal baseline legislation that
is needed at all for privacy?
Ms. Woolley. Not at this time. We have got some great
privacy laws in the area of HIPAA and Gramm-Leach-Bliley----
Mr. Stearns. Dealing with financial and health care----
Ms. Woolley. Exactly.
Mr. Stearns. So you don't think there is any other area
that is as sensitive?
Ms. Woolley. I don't.
Mr. Stearns. Do you think that there is any need for
Federal baseline legislation for any aspect of personal privacy
on the Internet? Just yes or no.
Ms. Lawler. I need to say more than yes.
Mr. Stearns. Just yes or no. If you have to check off
whether we need Federal baseline legislation for any aspect of
personal privacy on the Internet?
Ms. Lawler. As a company that is already regulated by some
of the laws just mentioned, if there were a Federal baseline
approach, we would want to see something that is principle-
based. So we think that there's a potential for an appropriate
baseline in place----
Mr. Stearns. I have a bill H.R. 1528. It is a privacy bill
that Mr. Matheson and I both dropped.
Ms. Lawler. Yes. I have looked at that.
Mr. Stearns. Do you think there is anything in there that
you think should be needed? You won't offend me if you say no.
Doesn't bother me at all. I have nothing tied to my
legislation.
Ms. Lawler. I think there are some things there that are
workable.
Mr. Stearns. Let me go down and ask you if you think there
is any Federal baseline legislation, Yes or no?
Mr. Hintze. Yes, we have been on record for a number of
years.
Mr. Stearns. I know. I thought you had.
Mr. Meyer. We don't support any new baseline legislation,
but having read your bill, the piece that we do like is the
provision for safe harbor for self--existing self-regulatory.
Mr. Stearns. Using the Federal Trade Commission.
Ms. Woolley. Ditto with that.
Mr. Acquisti. Yes, we do. Self-regulatory solutions tend to
fail under pressure, and the recent studies have shown that
there is a frequent non-compliance with NAA and the DAA
initiatives among the top 100 Web sites----
Mr. Stearns. So your answer is yes, there needs to be some
type?
Mr. Acquisti. Yes.
Mr. Stearns. Ms. Dixon, I assume you are a strong yes.
Ms. Dixon. Yes, and we would still like to see reforms of
existing self-regulatory programs to include consumers in other
reforms.
Mr. Stearns. Let me ask this last question and just ask one
person, so it won't take too much time. What benchmarks are
needed for self-regulation? Could you say from your experience
what benchmarks are needed, since you represent the digital
alliance?
Ms. Woolley. Thank you. I think the right benchmark is not
how many people opt-out. I think the right benchmark is how
many people are seeing icons, and do they know what it means?
So I think education is the right measure.
Mrs. Bono Mack. Thank the gentleman.
The chair recognizes Dr. Cassidy for 5 minutes.
Mr. Cassidy. Thank you.
I am never quite sure I understand this issue as much as I
try and understand it.
Ms. Lawler, did I hear you say that only 0.05 percent of
people actually opt out?
Ms. Lawler. Here is what I was saying is, we were talking
about the opt-out rates for email marketing, which is different
than the discussion that the majority has focused on today
around online behavioral advertising. So what I was actually
listing was kind of a range of industry standard, which is 0.1
to 0.05. That is a different kind of data than what we are
talking about with opt-out for behavioral advertising.
Mr. Cassidy. Ms. Woolley, Ms. Dixon raises some troubling
things in their testimony. She speaks of how AOL once released
some data sets; New York Times was able to track backward from
these compressed data sets, supposedly disjointed, to find out
where somebody lived. Now, do current self-regulating processes
prevent that from happening again? Because that would certainly
spook me if the New York Times was knocking on my door hey,
Bill, what is happening? So you see my question?
Ms. Woolley. I am not familiar with the point that was
raised.
Mr. Cassidy. Ms. Dixon, will you mention to her what your
testimony said?
Ms. Dixon. In the testimony, I was talking about that we
needed a larger vocabulary when we are talking about online
privacy. And I mentioned the AOL data breach in 2006. What
happened is researchers at the company released data sets that
were anonymized information about users, supposedly, and after
it was released, a New York Times reporter went through and was
easily able to look at little bits and pieces of scattered
information that consumers had typed into search engines, and
they identified people.
Mr. Cassidy. So that said, that is troubling.
Ms. Woolley. Yes, it is troubling. And the whole issue of
data breach is very troubling. And I think that we need to be
very careful about separating out privacy issues from data
breaches. And the data breach issues I think require some
significant action by Congress.
Mr. Cassidy. Ms. Dixon, would that answer satisfy you?
Ms. Dixon. I think that what happened at AOL was part of an
environment where there is not a clear idea of what privacy
benchmarks and standards there are.
Mr. Cassidy. Yes, but that was a data breach?
Ms. Dixon. I am not so sure that it was a data breach. I
think that it can't easily be defined that way. Because when
consumers type their search queriesinto that search engine,
they relied on that AOL privacy policy that says, hey, we are
going to do X, Y, and Z.
Mr. Cassidy. Let me move on.
Mr. Hintze, when I log on to MSN and I put in my user ID
and then I hit in private browsing, does MSN or Bing still
track me, even though Fox Sports may not or----
Mr. Hintze. The in private browsing feature in our Internet
Explorer browser blocks third parties who are present on the
Web site you have gone to. But when you have gone to a Web
site--say you have gone to MSN. In that case, MSN would be the
first party. That is the company, that is the Web site you
chose to interact with. So it doesn't block the connection to
that first party.
Mr. Cassidy. So does MSN then track me across the
Internet----
Mr. Hintze. No. The in private browsing, it prevents
anybody who, other than the site you have chosen to go to--so
when you go to MSN, MSN knows you are there. When you go to
Amazon, Amazon knows you are there. But if there were a common
third party, they would not be able to track you across those
two sites because you blocked them.
Mr. Cassidy. So for my home page for MSN, I have a Web site
from Home Depot. Home Depot would not know, but MSN still
knows. Is that correct?
Mr. Hintze. Correct. If you type www.MSN.com into your Web
site.
Mr. Cassidy. Now I think I understand now how data is
anonymized and theoretically, if you will, I am protected, but
I gather that if you are MSN, Yahoo, or Google and I log in,
that is not anonymous. That is actually me. Now, so, again, I
am trying to understand this. I apologize if I sound stupid,
but you can take, unlike everybody else who is anonymous, you
actually know it is me. Now to what degree can you collate that
with other information from other third parties?
Mr. Hintze. You are correct that when you sign into a site
you have self-identified yourself to them. You have said, hey,
it is me; you have a billing relationship with them, for
example. There are different methods used within the industry
to anonymize data. Some are stronger than others.
Mr. Cassidy. Does MSN anonymize my data once I have signed
in, or do they keep it much as apparently AOL did, as a dataset
which could be leaked and which could then be tracked back to
my home address?
Mr. Hintze. For search data, we store search queries, for
our Bing search engine, we store search queries in association
with a unique identifier which we put technical controls,
including one-way cryptographic hashing, to prevent that data
from being associated with identifiable data that you may have
provided to another one of our sites.
So, for example, if you had a Hotmail account and you had
given us your name and your city, we would have that in one
database, and we put in measures to make sure that when you put
in your search query, that data is not associated, it is in
different buckets.
Mr. Cassidy. I am out of time, but I may hang for the
second round. Thank you, I yield back.
Mrs. Bono Mack. I thank the gentleman, and a few of us have
stuck around for a second round. So I am going to begin with 5
minutes for myself, and the question--I don't know if it would
be better for Mr. Hintze or Mr. Meyer or who. Anybody can take
a crack at this. Something that just popped into my brain was
deep packet inspection, and we haven't talked about that at all
today. But my example is the other day I received an email from
a friend of 40 years ago who I did gymnastics with. The message
said ``gymnastics'' somewhere in there, and sure enough, for
the first time ever, I received a bunch of ads about buying
tumbling mats. I never, ever have gone online to look for
tumbling mats.
Deep packet inspection, is it a part of your thinking here,
or is it as troubling to you as that glaring example was to me?
Mr. Hintze. I will just briefly respond and then let
others. We don't engage in it. It is not how we run our ad
network. Even within our own email online service Hotmail, we
do not base advertising based on the content of your email.
Other companies do that; we do not.
Mrs. Bono Mack. Have you supported in the baseline
legislation, you have said you supported in the past, something
that----
Mr. Hintze. We have supported Federal baseline privacy
legislation. Like others on the panel, we think it should work
in conjunction with self-regulatory initiatives with safe-
harbor provisions, but it is something we have supported.
Mrs. Bono Mack. And DPI, would you support throwing that in
there, then? Deep packet inspection, would you support putting
that in there?
Mr. Hintze. You know, I think that one of the challenges
with legislation is that when you get into particular
technologies and try to ban technologies or methods, that can
have unintended consequences.
Mrs. Bono Mack. Thank you.
Mr. Hintze. You talk about deep packet inspection, you talk
about supercookies, there are certainly uses where we think
those methodologies are inappropriate and invasive and not
consistent with consumer expectations or choices they have
made. But one can imagine that those kinds of technologies
would be put to very beneficial uses, and so I think we have to
be very careful about trying to regulate specific technologies.
Mrs. Bono Mack. Thank you. Mr. Meyer?
Mr. Meyer. I agree with Mr. Hintze. I think that Evidon's
purview doesn't expand out into deep packet inspection, but our
opinion is similar to the opinion on supercookies, that right
now we don't see it as a good use in online marketing, but
legislation carries with it a lot of risks around legislating a
technology when things are evolving this quickly.
Mrs. Bono Mack. Thank you. I really enjoyed Mr. Guthrie's
questioning earlier. He really got to the crux of the whole
matter, what does this mean.
Miss Dixon, you took a crack at the answer, but it is the
reputational harm that we are all concerned about, and then I
am also concerned about a bridge too far. When does
reputational harm then translate into physical harm? And those
are the questions that I think we need to grapple with as
policymakers. But I have also--and I keep going back to how the
content, we had, you know, P2P, we had Kazaa, and Napster, and
some things come up, and then i-Tunes came on the scene to deal
with peer-to-peer, and now we are back to like a Spotify method
where content is all free again. You can download 3,000 songs
for free.
So it is still evolving, and the business models are
evolving. But really, me perhaps jumping ahead here to Intuit.
Reputational harm for consumers is one thing, but I know that
Intuit, the reputational harm that could happen to a company
should they breach consumers' confidence is also something
worth considering.
And I think, Ms. Woolley and Ms. Lawler, if you would like
to take the next minute and 45 to talk about your version of
what would happen to your company if you lost consumer
confidence by breaching what consumers believe you do to
protect them.
Ms. Lawler. When we conducted our customer research to
understand their attitudes about privacy and how data was used,
our customers were very clear that as long as we were open and
honest and clear with them about what we were doing and giving
them choices, that they would trust us, continue to trust us.
So they said things like, ``I will continue to use your
products because of the data stewardship principles that you
are showing us; I feel safer in an unsafe world.''
Conversely, what we saw, because we did quantitative
research where we got a lot of verbatims that I have just
mentioned, but we also did qualitative studies where we talked
one on one and in small groups, and in those sessions, I think
our customers--and I think it is a proxy just for consumers at
large--when you are dealing with unique data about me that is
sensitive to my life or my business, I want control, I want to
know what is going on, and if you screw that up, I am certainly
going to consider going somewhere else.
And to the point someone made earlier, consumers make
choices with their feet and with their wallets. They also make
choices in the online world essentially with their fingers and
eyeballs. So that is why being as open and clear and
transparent, starting with this idea that it is the customers'
data, not ours, and putting them as much in control as
possible, is just critical to our success. It enables us to
actually innovate and use their data to benefit them in ways
that improve their lives.
Mrs. Bono Mack. Thank you. Ms. Woolley, if you would like
to.
Ms. Woolley. Thank you. One of the things that is great
about the DAA program is that in order to get the principles in
the first place, thousands of companies participated in that
process, and the six trade associations that developed it also
represent thousands of companies, so it really is a consensus-
based program. And the reason that so many companies came to
the program and came to the table was because they are all
intent on doing the right thing. Obviously there are outliers
out there who may or may not be as interested in doing the
right thing, but the goal of the program is to get as many
companies into the program as possible, and so the issue of
reputational harm is clearly front and center for all of them.
Mrs. Bono Mack. Thank you, and my time has expired. And I
recognize Mr. Butterfield for 5 minutes.
Mr. Butterfield. Thank you. Social networking sites like
Facebook have made it possible for Internet users to share the
details of their lives. The things users share can include
seemingly mundane and harmless things like where they were
born, or head shots and picture profiles. It can also include
more intimate and personal details, like how they are feeling
physically or mentally, their relationships, their political
leanings, or even their work history or other affiliations.
Some choose to put all of this out there for the whole wide
world to see--I am not one of those, but some do--while some
choose to make only the barest of details available to the
world and selectively share based on their preferences.
Professor, in your testimony you discuss briefly a couple
of studies you have contributed that support the view that
consumers' ability to make rational and fully informed
decisions about their privacy preferences are constrained,
constrained both by our limited ability to process information
available to us, and advances in technology whose implications
can't be understood or predicted by consumers. Specifically,
you mentioned a study in which you were able to identify
individuals and infer personal information about them using
facial recognition technology in photos they had posted online
on sites like Facebook. That is absolutely incredible.
Can you please discuss this study a bit more, briefly
describe what you did, what bits of information you used, how
easily available it was to you, and what further information
you were able to infer?
Mr. Acquisti. Certainly. Indeed, our study was about
finding out what happens when you combine publicly available
information with off-the-shelf technology such as face
recognition and cloud computing, and you put them together and
you try to identify individuals online and offline and then
infer more sensitive information. What we did, we started from
images of faces of people that I could call them anonymous in
the sense that we didn't have a name when we started the
experiment. These images either came from online environments
such as dating sites or from the State, students on the CMU
campus. We used face recognition and cloud computing to compare
these images to images we had downloaded from publicly
available data, profiles on popular social networking sites,
and when we found matches between a face in the first group and
a face in the second group, we could then infer
probabilistically the name of the person, up until then
anonymous. With the name, we could then search for personal
demographic information.
For instance, from Facebook profiles we can find often the
hometown where the person was born and the date of birth, and
then with the hometown and the date of birth, using an
algorithm we developed 2 years ago, we ended up predicting the
Social Security number. So the sequence is start from a face,
find a name online associated with the face, find publicly
available information, not sensitive, but demographics for
instance for the person, and with that information infer
something more sensitive. It is a process of data accretion
which shows the challenges we face in protecting privacy.
Mr. Butterfield. You mentioned Social Security numbers, and
that is somewhat intriguing. Are you saying that you are able
to possibly predict Social Security numbers based on simple
demographic data put up by individuals on Facebook?
Mr. Acquisti. Yes. When I say ``predict,'' I stress that I
am talking about a probabilistic prediction, not deterministic.
What I mean is that a Social Security number has nine digits,
and we would not be able to predict with a single attempt all
nine digits at the same time, so our degree of accuracy
changed, depending on whether we consider only the first five
digits or all nine. But the stories that--and we showed this 2
years ago, because data about Social Security numbers is
already publicly available--it is called the so-called death
master file. It is a public database of all Social Security
numbers of people who are dead, and because we have so much
demographic data for people who are alive, we can interpolate,
combine the two datasets and end up predictions as a sense for
alive individuals.
Mr. Butterfield. Let me yield to the chairman.
Mrs. Bono Mack. I appreciate that very much. I think this
is an important point that needs serious clarification. You can
find all of that data on any public figure right now by going
to a bio. You can open a book, somebody has written their life
story. You don't need to create an algorithm, you can just do
that.
Why aren't people just creating, I mean other than creating
the Social Security number, but you are trying to protect
people from--for example, any Member of Congress, all that data
is out there. So how is it different?
Mr. Acquisti. So, indeed, there are two points to make
here, one specific to as a sense. In recent years the
regulatory approach has been towards making Social Security
numbers less available, because we know they are so sensitive.
And in a way that is well intended, a good meaning; but the
challenge we show with our results is that even if you make
Social Security numbers less available in public documents,
they can still be predicted from otherwise publicly available
data.
Mr. Butterfield. Thank you.
Mrs. Bono Mack. Thank you so much, Mr. Butterfield.
Mr. Butterfield. Uh-huh.
Mrs. Bono Mack. But your point that you began with, I think
facial recognition technology is troubling for everybody, but
your point was you are not critical of Social Security numbers.
You are talking about how easy it is to search because, you
know, we could be taking a picture of any of you and suddenly
by tomorrow have your Social Security number.
Mr. Acquisti. This is absolutely correct.
Mrs. Bono Mack. This is a privacy debate. On the online
world we are asking for more than perhaps has been out there
for years, and these things aren't happening. So I just want to
point that out, and I have overexhausted his time, so I need
to--oK, yes, if you can respond briefly.
Mr. Acquisti. The Social Security number prediction is just
an example what can be done. The story we were telling with
this recent study is that we are now close to a point where you
can start from an anonymous face in the street and predict
sensitive, not publicly available, but sensitive information
about the person.
Mrs. Bono Mack. I thank the panel and the gentleman for
yielding to me, and I am happy to now recognize Mr. Stearns for
5 minutes.
Mr. Stearns. Thank you, Madam Chair. We hear from consumers
and from researchers like the professor today, and even from
Intuit's own research, that privacy policies are too
complicated and consumers don't bother to read them. And
myself, if it is one or two pages I don't go further. And so I
think most consumers just don't take the time. And then, of
course, if the privacy is on the thin side and they are just--
such that they don't advocate enough, enough protection.
So I guess, how do we bridge the gap and provide full
disclosure without alienating the average consumer who is not a
privacy professional? It seems to me that is about where we
are. If we are talking about self-regulatory incentives, then
you have got to have some kind of policy which bridges this gap
and provides the information without confusing the consumer. So
I thought I would just go from my left to my right, and maybe
some ideas of how we could do this so that consumers are
educated, for one; and two, that the privacies are not
complicated and maybe design work or something like that, some
ideas.
Ms. Lawler. We are experimenting with different types of
what I would call explanations to customers, and that is really
out of our research--and some of our early findings suggest
similar to what we have heard a little bit about today, a
simple, plain English explanation in context. So you can't
offer big blanket opt-in or opt-out or whatever kind of choice
at the beginning of something where it is not relevant to me. I
don't understand it. Customers have been very clear about that.
And I think there are probably other studies that validate
that, but in context.
So we are actually running tests right now. We don't have
the data yet. We would be happy to come back and share that at
a future time.
Mr. Stearns. OK.
Ms. Lawler. One of the other things that we did that I
think--just a couple of other quick thoughts, sir--is if we
stopped thinking about privacy policies and privacy statements
and put it in this framework and this idea that is plain,
simple, short explanations, you have to have a policy
somewhere, but really what consumers want is something that is
simple, easy to understand, real-time. And if companies haven't
done it, what I would suggest they do, which we did recently
and have made improvements significantly, is run your policy
statements, your explanations, through a grade-level analyzer.
So we did that, and we have simplified our language so that it
was closer to a 9th grade level rather than where we started a
couple years ago at a 13th grade level.
Mr. Stearns. OK. Let me go through the panel here. I have
only got about 2-\1/2\ minutes left.
Mr. Hintze. Yes. To cut this short, I agree with everything
Ms. Lawler said. I think that in our experience the challenge
is to get information in front of people when you are most
likely to capture their eyeballs and their attention, and
sometimes that means at the point of a decision making, when
they are making a particular decision. Sometimes that can be
too disruptive because they are so anxious to get the thing
done that they are trying to get done, that if you put
something in front of them, they are just going to hit
``cancel'' or ``yes'' or whatever the default is. So sometimes
it is at the time you are installing a product. Sometimes it
really sort of varies and you get there with a little bit of
trial and error.
Mr. Stearns. But the point at which you get their attention
is what you are saying.
Mr. Hintze. Yes, yes.
Mr. Stearns. Mr. Meyer.
Mr. Meyer. That is our business to figure this out, and the
key thing I would add to the discussion is----
Mr. Stearns. Why, Mr. Meyer, don't you have privacy with a
video, just a quick--I never see anybody have a video for
privacy.
Mr. Meyer. Some companies, some of our clients, do have
videos in their privacy policy.
Mr. Stearns. Somebody would say do this, do that.
Mr. Meyer. Yes, it all depends on the segment. It is very
hard to know which type of user is showing up in which
particular experience, and the key is to create a layered
experience so that it can stand up to the scrutiny of, you
know, privacy advocates and academics, and as well as be simple
enough for someone to get through it in a few clicks. And that
is part of the reason we did this partnership with Akamai, to
get the first layer as close to the point of engagement as
possible, and then allow consumers who want more detailed
information to dig through it, but not force them to read
through a whole complex policy.
Mr. Stearns. Gotcha. Ms. Woolley.
Ms. Woolley. The goal that you mentioned is exactly the
goal of the program, the advertising option icon program. It is
in one or two clicks a simple explanation about what is going
on, not----
Mr. Stearns. Have you thought about using video on it?
Ms. Woolley [continuing]. A deep privacy policy, and also
you can opt out.
Mr. Stearns. Instead of a narrative, do you think a video
would be better?
Ms. Woolley. There is not a video, but good idea. I mean,
it is something we may try and do.
Mr. Stearns. Because you see, across these Web sites, the
ones who are most successful have the videos instead of the
narrative. Anyway, Professor?
Mr. Acquisti. Two solutions which need to complement each
other; one is standardize the starting line of privacy
policies, which are common in form across Web sites. This
decreases the cognitive costs for the consumer. And the second,
a baseline level of protection further through regulation.
Mr. Stearns. Would that come from that baseline from the
Federal Trade Commission? Where would that baseline come from?
Mr. Acquisti. For instance, from the Federal Trade
Commission.
Mr. Stearns. Oh, OK. Ms. Dixon?
Ms. Dixon. I agree with Professor Acquisti's remarks. I
would just add one thing. We are talking about improving self-
regulation of consumers. I think we ought to hear from the
consumers, and the consumers ought to be part of that self-
regulatory process and have a permanent and defined role in
that process so they can give us direct feedback.
Mr. Stearns. Good. All right. Thank you, Madam Chair.
Mrs. Bono Mack. Thank you, Mr. Stearns. The chair is happy
to recognize Dr. Cassidy for 5 minutes.
Mr. Cassidy. Mr. Hintze, OK, somebody--you have a phone,
right? You have a phone system? So Microsoft does. If I log on
my phone, I register my phone, I pull it out of the box and I
register it, it says hey, I am Bill Cassidy, I am da-da-da, and
I also again have MSN. You spoke about this kind of firewall,
if you will, between my Hotmail account and my MSN activities.
But what if Apple or Google or Yahoo! or you--I have a phone
and either I have the phone which your company provides, or I
am using the operating system that your company provides, or I
am plugged into my browser on the phone; is that data
correlated with my desktop browsing?
Mr. Hintze. No, and----
Mr. Cassidy. And do you speak just for Microsoft or do you
speak for an industry standard?
Mr. Hintze. I am speaking for Microsoft. I am speaking for
Microsoft. Well, it depends. It depends on the scenario you are
talking about. If you log in to your Hotmail account on a PC
and then you log into your Hotmail account on your phone, it is
the same account; that data is connected on the back end. The
problem is there are many different scenarios we can go
through.
If you are using a location-based service, where we as the
operating service on the phone is providing this location
service, that location data comes up without any identifying
information. It comes up only so that it can send back location
information so that an application can take advantage of that.
And then on our back end, we don't store any unique IDs at all
associated with the hardware or a user, and so, you know, it
really depends on the scenario. In a logged-in scenario is the
one scenario where, yes, there would be a linkage across the PC
and----
Mr. Cassidy. Now, would this data be, could this data be or
is this data, when it is connected, is it collated, correlated,
da-da-da dated, in order to further target me in a more
sophisticated fashion?
Mr. Hintze. We are just moving into mobile ads, and so in
the future I think the answer will be yes. But, again, we would
do that in a way that takes into account our own privacy
standards, the standards that are being developed by the self-
regulatory initiatives, et cetera. So yes, but people will have
choices about that.
Mr. Cassidy. OK. Ms. Dixon, what are your thoughts about
that, because you seem to kind of come from the most sort of
we-have-to-be-concerned perspective?
Ms. Dixon. Yes, the tethered applications, mobile phones
that are--there is certain hard encoding that Mike could tell
you more about, that links that phone directly to a person's
identity in different ways than Web browsing does. So when we
are talking about linking ads to phone technologies, I think
that we are entering a new arena. The self-regulatory regime in
place for that is a code of conduct by the Mobile Marketing
Association, and the codes are profoundly general. They are so
general it is unbelievable, and they are not protective at all.
So a great deal of work would have to be done to reform this
space or to regulate the space in order to provide baseline
consumer protection.
Mr. Cassidy. Ms. Woolley, what are your thoughts about
that? And, again, I am going to cut you off in a second because
I have one more question for Mr. Hintze.
Ms. Woolley. Thanks. We are in the process of developing a
program, building up a program where this icon will migrate to
ads that are served on mobile devices. So a consumer will be
able to not only see an ad on a mobile device, but he or she
will be able to see the icon and opt out on that mobile device.
And those choices, as we develop that program, expand that
program to a mobile device, those choices must be honored by
everybody in the chain of delivering that ad on a mobile
device, the same way that the choices have to be honored.
Mr. Cassidy. So you agree with Ms. Dixon, but you feel as
if that work, that hard work is being done, if you will?
Ms. Woolley. Absolutely.
Mr. Cassidy. OK. Now, Mr. Hintze, in your testimony,
reference 19--reference, I should say comments--you say that
even if responsible companies adopt strong practices and
participate in self-regulatory initiatives, bad apples can
spoil the whole bunch. Michael Jackson's redux. And government
can play a role by setting baseline standards.
Now, that is a little bit less libertarian than I think
some of the others on the panel. So you do see a role for
government setting baseline standards. Mr. Stearns has
legislation which, frankly, I haven't read, but he referenced
it earlier. Have you read it, and if so--if not, confess; but
if so, what are your thoughts on it?
Mr. Hintze. We have read it and we have been on record for
I think about 6 years now of supporting baseline Federal
privacy legislation, that again it would be principles-based,
not technologies-based. It would have to be flexible and
incorporate safe harbors for effective self-regulatory
initiatives. But there are a lot of things in Mr. Stearns' bill
that we are supportive of, and we are, you know, happy to work
with this committee and your office, Mr. Stearns, on that as
well, going forward.
Mr. Cassidy. OK. I am out of time. I yield back, and I
thank you.
Mrs. Bono Mack. Thank the gentleman, and we would like to
thank our panel very much for being with us today. You have
been quite gracious with your time, and I look forward to
working with all of you again as we get closer to making some
important decisions about the best ways to protect the online
privacy of American consumers.
I thank Mr. Butterfield and all of the members and staff of
this terrific subcommittee for their participation.
This was the fourth in our series of online privacy
hearings so far this year. As the bits and bytes begin to add
up, I think that we are getting closer and closer to
understanding what the American consumers really want with
respect to online privacy.
I remind members that they have 10 business days to submit
statements and questions for the record and ask the witnesses
to please respond promptly to any questions they receive.
The hearing is now adjourned.
[Whereupon, at 11:29 a.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC] [TIFF OMITTED] T4605.139
[GRAPHIC] [TIFF OMITTED] T4605.140
[GRAPHIC] [TIFF OMITTED] T4605.141
[GRAPHIC] [TIFF OMITTED] T4605.142
[GRAPHIC] [TIFF OMITTED] T4605.143
[GRAPHIC] [TIFF OMITTED] T4605.144
[GRAPHIC] [TIFF OMITTED] T4605.145
[GRAPHIC] [TIFF OMITTED] T4605.146
[GRAPHIC] [TIFF OMITTED] T4605.147
[GRAPHIC] [TIFF OMITTED] T4605.148
[GRAPHIC] [TIFF OMITTED] T4605.149
[GRAPHIC] [TIFF OMITTED] T4605.150
[GRAPHIC] [TIFF OMITTED] T4605.151
[GRAPHIC] [TIFF OMITTED] T4605.152
[GRAPHIC] [TIFF OMITTED] T4605.153
[GRAPHIC] [TIFF OMITTED] T4605.154
[GRAPHIC] [TIFF OMITTED] T4605.155
[GRAPHIC] [TIFF OMITTED] T4605.156
[GRAPHIC] [TIFF OMITTED] T4605.157
[GRAPHIC] [TIFF OMITTED] T4605.158
[GRAPHIC] [TIFF OMITTED] T4605.159
[GRAPHIC] [TIFF OMITTED] T4605.160
[GRAPHIC] [TIFF OMITTED] T4605.161
[GRAPHIC] [TIFF OMITTED] T4605.162
[GRAPHIC] [TIFF OMITTED] T4605.163
[GRAPHIC] [TIFF OMITTED] T4605.164
[GRAPHIC] [TIFF OMITTED] T4605.165
[GRAPHIC] [TIFF OMITTED] T4605.166
[GRAPHIC] [TIFF OMITTED] T4605.167
[GRAPHIC] [TIFF OMITTED] T4605.168
[GRAPHIC] [TIFF OMITTED] T4605.169
[GRAPHIC] [TIFF OMITTED] T4605.170
[GRAPHIC] [TIFF OMITTED] T4605.171
[GRAPHIC] [TIFF OMITTED] T4605.172
[GRAPHIC] [TIFF OMITTED] T4605.173
�